New Cyber Threat Targeting macOS Users

Researchers from SentinelLabs have identified a new cyber attack linked to North Korean hackers, targeting macOS users to steal cryptocurrency and other sensitive information, as reported by TechRadar.

They have discovered a backdoor named NimDoor, written in the relatively rare programming language Nim, which helps evade detection by traditional antivirus software. Once installed, NimDoor uses AppleScript for beaconing and asynchronous sleep timers, allowing the malware to maintain a presence on the system and bypass security measures. It's important to note that the term "beaconing" in cybersecurity refers to a technique where malware periodically connects to a command and control (C2) server to report its presence and receive instructions or exfiltrate data.

The attack typically begins in Telegram: victims receive a message from a fictitious trusted contact inviting them to a Zoom meeting. Clicking the link opens a fake Zoom page requesting the installation of an "update" to join the call. Instead, the malicious NimDoor code is downloaded, which steals various types of data:

• Browser history and search queries;
• Cookies and Telegram chats;
• Passwords from the macOS Keychain.

"This is concerning regarding the evolution of North Korean cyber capabilities, especially with the rise of remote work and the false sense of security among Mac users," noted SentinelLabs.

North Korean state-sponsored hacker groups, notably the Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they have stolen over $3.4 billion, including:

• ByBit exchange attack in February 2025: around $1.5 billion in tokens;
• Ronin Bridge hack in March 2022: about $600 million;
• Poly Network attack in 2021: approximately $600 million.

Experts advise all macOS users to be cautious: do not open suspicious links, even if they come from acquaintances, and install updates only through official channels, not from browser pop-ups.