• Cyber Syrup
  • Posts
  • North Korean Hackers Target Crypto Firms with macOS Malware Disguised as Zoom Updates

North Korean Hackers Target Crypto Firms with macOS Malware Disguised as Zoom Updates

Cybersecurity researchers at SentinelOne have uncovered a sophisticated campaign by North Korean threat actors targeting employees at web3 and cryptocurrency organizations

July 08, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

North Korean Hackers Target Crypto Firms with macOS Malware Disguised as Zoom Updates

Cybersecurity researchers at SentinelOne have uncovered a sophisticated campaign by North Korean threat actors targeting employees at web3 and cryptocurrency organizations. The attackers are distributing macOS malware compiled in the Nim programming language, masquerading as Zoom software updates.

This campaign is attributed to BlueNoroff, a subgroup of the North Korean Lazarus APT group, known for financially motivated cyberattacks.

Attack Methodology

The infection chain begins with social engineering:

  1. The attacker impersonates a trusted contact of the victim and initiates communication via Telegram.

  2. They invite the victim to schedule a meeting using Calendly, a legitimate scheduling platform.

  3. The victim receives a Zoom meeting invitation via email, which contains a malicious script disguised as a Zoom SDK update.

Running this script triggers a multi-stage malware deployment involving custom Nim-compiled binaries tracked as NimDoor.

Malware Techniques and Capabilities

The campaign demonstrates several novel techniques:

  • Nim-based binaries: Nim is a statically typed language that blends features of Python and C-like languages, offering attackers the ability to build stealthy macOS executables.

  • Encrypted configuration handling: The malware stores its configurations in encrypted formats to evade detection.

  • Asynchronous execution: Leveraging Nim’s native concurrency, the malware can perform tasks in the background without blocking.

  • Signal-based persistence: Malware components remain active by intercepting system signals like SIGINT and SIGTERM.

Two separate Mach-O binaries are used:

  • A C++ binary executes bash scripts for exfiltrating sensitive data (e.g., Keychain, browser history, and Telegram data).

  • A Nim binary sets up long-term persistence and deploys two further Nim executables:

    • GoogIe LLC (a deceptive name using a capital “i” instead of “l”), which configures the system.

    • CoreKitAgent, a powerful, event-driven payload that uses macOS’s kqueue for system monitoring.

Why It Matters

This campaign illustrates an evolution in macOS malware techniques, particularly with the growing use of unconventional programming languages like Nim, which can complicate static analysis and detection. The use of legitimate platforms like Calendly and Zoom for initial delivery also underscores the effectiveness of social engineering in modern cyberattacks.

How to Protect Yourself

  • Avoid running unsolicited scripts, even from seemingly trusted sources.

  • Verify Zoom or software update links through official channels.

  • Use endpoint protection with macOS malware detection capabilities.

  • Educate employees about phishing and impersonation tactics.

As cyber threats targeting the crypto sector continue to evolve, organizations must remain vigilant against both technical and social vectors of attack.