North Korean hackers are attacking Mac users via Telegram to steal cryptocurrency
Researchers from SentinelLabs have discovered a new cyberattack carried out by North Korea-linked hackers targeting macOS users to steal cryptocurrency and other sensitive information, TechRadar reports.
They identified a backdoor called NimDoor, written in the relatively rare Nim programming language, which helps it evade detection by traditional antivirus software. Once installed, NimDoor uses AppleScript for beaconing and asynchronous sleep timers, which allows the malware to maintain a presence on the system and bypass security measures. It is worth noting that the term beaconing in cybersecurity refers to a technique by which malware periodically, often at regular intervals, communicates with a command and control (C2) server to report its presence and receive instructions or transmit data.
The attack usually starts in Telegram: victims receive a message from a supposedly trusted contact inviting them to a Zoom meeting. Clicking on the link opens a fake Zoom page asking them to install an "update" to join the call. Instead, the malicious code NimDoor is downloaded, which steals a variety of data:
- Browser browsing history and search queries;
- Cookies and chats in Telegram;
- Passwords from macOS Keychain.
"This represents an alarming evolution in North Korean cyber capabilities, particularly because it specifically exploits the growing remote-working trend and Mac users' perceived lower vulnerability to such attacks," SentinelLabs noted.
North Korean state-run hacking groups, including the notorious Lazarus Group, have previously stolen cryptocurrency to fund their programs. From 2021 to early 2025, they stole over $3.4 billion, including:
- Attack on the ByBit exchange in February 2025: about $1.5 billion in tokens;
- Ronin Bridge hack in March 2022: about $600 million;
- Poly Network attack in 2021: about $600 million.
Experts advise all macOS users to be careful: do not open suspicious links, even if they come from acquaintances, and install updates only through official channels, not from browser pop-ups.