North Korea-aligned hackers have launched a new wave of attacks against Web3 and cryptocurrency firms using a macOS malware strain called NimDoor, according to a July 2, 2025 report by SentinelLabs.

Written by researchers Phil Stokes and Raffaele Sabato, the report details how the attackers use the Nim programming language and AppleScript to evade detection, steal sensitive data, and maintain long-term access to compromised systems through encrypted communications and disguised components.

The operation begins with social engineering tactics—often impersonating trusted contacts on Telegram to send malicious Zoom update scripts. These scripts, buried under thousands of lines of obfuscated code, download and install multiple payloads from attacker-controlled sites. Once embedded, the malware injects itself into legitimate processes, enabling it to harvest Keychain data, browser histories, Telegram chats, and shell logs—all without raising alarms.

The attackers' tactics showcase a growing sophistication. Their choice of lesser-used languages like Nim makes reverse engineering more difficult, while subtle tricks like using "GoogIe LLC" (with a capital ‘i’) help the malware hide in plain sight. SentinelLabs warns that as these campaigns evolve, defenders must stay ahead with updated detection strategies to combat what it calls “inevitable attacks” targeting the crypto and Web3 sector.