Search

Select theme:
  • Home
  • News
  • New Threats: North Korean Hackers Target macOS Users
image

New Threats: North Korean Hackers Target macOS Users

04 July 2025

Researchers at SentinelLabs have identified a recent cyberattack carried out by North Korean hackers targeting macOS users to steal cryptocurrency and confidential information, as reported by TechRadar.

They discovered a backdoor called NimDoor, written in the relatively obscure programming language Nim, which helps evade detection by traditional antivirus software. Upon installation, NimDoor utilizes AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain its presence on the system and circumvent security measures. The term beaconing in cybersecurity refers to a technique by which malware periodically connects to a command and control (C2) server to report its status and receive instructions or send data.

The attack typically starts in Telegram, where victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. Clicking the link opens a counterfeit Zoom page that prompts the user to install an "update" to join the call. Instead, the malicious NimDoor code is downloaded, which steals various data:

  • Browser history and search queries;
  • Cookies and chats in Telegram;
  • Passwords from the macOS Keychain.

"This is concerning in terms of the development of North Korean cyber capabilities, especially given the exploitation of the remote work trend and the false sense of security among Mac users," noted SentinelLabs.

North Korean state-sponsored hacker groups, notably the Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they managed to steal over $3.4 billion, including:

  • The attack on ByBit exchange in February 2025: approximately $1.5 billion in tokens;
  • The hack of Ronin Bridge in March 2022: around $600 million;
  • The attack on Poly Network in 2021: about $600 million.

Experts advise all macOS users to exercise caution: do not click on suspicious links, even if they appear to come from acquaintances, and only install updates through official channels, not through browser pop-ups.

 

Go to prev
Go to next

Latest posts:

Popular posts: