Crypto and Web3 firms should be on high alert and exercise extreme caution, as a recent report has revealed a rare and sophisticated cyberattack targeting them. The attack was attributed to a notorious threat actor group from the Democratic People’s Republic of Korea (DPRK), or North Korea.
According to research published by cybersecurity company SentinelOne, the attack was initially detected in April 2025 and targets individuals in the Web3 and cryptocurrency sectors who use Apple devices.
Explaining the malware, which the research dubbed “NimDoor” due to its functionality and development traits, SentinelOne stated:
“Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++, and Nim.”
How the Attack Works
The initial stage of the attack process begins on Telegram. Using social engineering, the attackers impersonate trusted contacts and invite unsuspecting victims to fake Zoom meetings through Calendly scheduling pages.
The targets then receive an email with a Zoom meeting link and follow the instructions to run a malicious “Zoom SDK update script,” which downloads an AppleScript file that retrieves and executes a second-stage script from a command-and-control server.
The script initiates the main attack, which downloads two Mach-O binary files that operate independently. The files have two main parts: one written in C++ that steals Bash scripts, such as system information, browser history, and Telegram chats. Meanwhile, the Nim-compiled binary helps the malware remain on the device and return even if it’s removed due to the SIGINT/SIGTERM handlers used.
A crucial element that makes this attack more effective is that the North Korean group uses sophisticated social engineering tactics and advanced obfuscation techniques, including AES encryption and XOR operations, to decrypt embedded binaries, making detection and blocking more challenging.
North Korean Groups Persist in Crypto Attacks
North Korean threat actors continue to terrorize the cryptocurrency industry, with the recent SentinelOne report revealing their evolving tactics and techniques. These groups have been linked to several high-profile crypto breaches and exploits, resulting in significant losses for affected organizations.
For instance, authorities linked the North Korean Lazarus Group to the Upbit hack in 2019, which resulted in the South Korean exchange losing approximately 342,000 ETH. In April, the same cybercrime group lured crypto developers into downloading malware by creating fake U.S. companies.
