North Korean hackers target Mac users with devious new malware – 1v1 Video Chat & LIve Streaming & Influencer Subscription

By Sead Fadilpašić

Tech Radar Pro

Tech Radar Gaming

Tech Radar Pro

TechRadar the business technology experts

Search TechRadar

View Profile

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

Expert Insights

Website builders

Web hosting

Best website builder
Best web hosting
Best office chairs
Best antivirus
Expert Insights

Recommended reading

Hackers are using fake Zoom apps to steal your data and your cryptowallet – here’s how to stay safe

North Korean hackers are using LinkedIn to entice developers to coding challenges – here’s what you need to know

Zoom remote control feature abused for crypto stealing cyberattacks

These North Korean IT workers have been infiltrating Western businesses since 2016

Mac users beware – fake Ledger apps are being used by hackers to steal seed phrases and hack accounts

This dangerous new malware is hitting iOS and Android phones alike – and it’s even stealing photos and crypto

North Korean hackers are using advanced AI tools to help them get hired at Western firms

North Korean hackers target Mac users with devious new malware

Sead Fadilpašić

3 July 2025

Crypto hackers have started using Nim for their malware

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images)

By using Nim, miscreants are able to bypass traditional AV measures
They approach their victims on Telegram and invite them to a Zoom meeting
The malware steals sensitive data and crypto tokens

North Koreans are targeting Mac users with brand new malware in an attempt to steal cryptocurrency and other sensitive data, experts have warned.

Security researchers from SentinelLabs discovered NimDoor, a unique backdoor malware written in a lesser-known programming language called Nim, which they attributed to North Korea state-sponsored adversaries engaged primarily in cryptocurrency theft, which is then used to fund both its state apparatus and its weapons program.
Nim is used, first and foremost, to evade detection. The backdoor also uses AppleScript for beaconing and asynchronous sleep timers, tricking traditional security measures and maintaining persistence.

You may like

Hackers are using fake Zoom apps to steal your data and your cryptowallet – here’s how to stay safe

North Korean hackers are using LinkedIn to entice developers to coding challenges – here’s what you need to know

Zoom remote control feature abused for crypto stealing cyberattacks

Get 55% off Incogni’s Data Removal service with code TECHRADAR
Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

Alarming evolution
The attack usually starts on Telegram, where victims are approached by a seemingly trusted contact and invited to a fake Zoom meeting.

The link redirects the victim to a spoofed Zoom page that prompts them to install an update in order to participate in the call. Instead of the update, the victims are dropped the malicious payload, which steals all sorts of sensitive data, from browsing history, search activity, cookies, Telegram data, to Keychain passwords.
“This represents an alarming evolution in North Korean cyber capabilities, particularly because it specifically exploits the growing remote-working trend and Mac users’ perceived lower vulnerability to such attacks,” the researchers explained.
North Korean state-sponsored threat actors are known for their campaigns targeting cryptocurrency and Web3 companies. Among the biggest and most dangerous groups is Lazarus, a threat actor that netted more than $3.4 billion, in different attacks between 2021 and 2025.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Among the biggest heists is the ByBit attack that happened in February 2025, when they stole approximately $1.5 billion in different tokens. Ronin Bridge was compromised in March 2022 for $600 million, while Poly Network lost roughly the same amount of money the year prior.
You might also like

New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Hackers are using fake Zoom apps to steal your data and your cryptowallet – here’s how to stay safe

North Korean hackers are using LinkedIn to entice developers to coding challenges – here’s what you need to know

Zoom remote control feature abused for crypto stealing cyberattacks

These North Korean IT workers have been infiltrating Western businesses since 2016

Mac users beware – fake Ledger apps are being used by hackers to steal seed phrases and hack accounts

This dangerous new malware is hitting iOS and Android phones alike – and it’s even stealing photos and crypto

Latest in Security

Scammers are once again abusing PDFs to trick victims into calling fake support numbers

Signal clone used by federal agencies hit in attacks targeting major flaws – CISA says patch immediately

The AI-powered future of ransomware is coming soon – here’s what we need to look out for

Security breach reveals Catwatchful spyware is snooping on thousands of phones – here’s how to stay safe

Cisco warns of a serious security flaw in comms platform – and that it needs patching immediately

Google has patched another urgent security flaw in Chrome – so update now or be at risk

Latest in News

As Microsoft lays off thousands of employees, the company insists that Xbox boss Phil Spencer isn’t retiring ‘anytime soon’

AMD’s impressive free RX 9070 XT speed boosts confirmed in new benchmarks – and they make the GPU a better buy than Nvidia’s RX 5070 Ti

An unannounced MMO from The Elder Scrolls Online developer has been canceled by Xbox after seven years of work

Scammers are once again abusing PDFs to trick victims into calling fake support numbers

Signal clone used by federal agencies hit in attacks targeting major flaws – CISA says patch immediately

The Pixel 6a will get a mandatory update that will ‘reduce battery capacity’ soon – and other Pixel phones could be next