{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"macOS Under Siege: NimDoor Malware Targets Telegram, Wallets, and Keychains","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/a61a664d\"></iframe>","width":"100%","height":180,"duration":2589,"description":"A new, highly advanced malware strain—NimDoor—has emerged as the latest cyber weapon in the arsenal of North Korean state-sponsored hackers, specifically targeting macOS systems used by cryptocurrency and Web3 organizations. This episode explores the complex tactics and alarming capabilities of NimDoor, a malware family showcasing a blend of C++ and Nim programming, stealthy persistence mechanisms, and an intense focus on stealing digital assets.First identified in early 2025, NimDoor marks a significant evolution in North Korean cyber operations. Delivered through social engineering on Telegram, the attack chain begins with a deceptive fake Zoom SDK update. Once executed, the malware installs multiple payloads—including GoogIe LLC and CoreKitAgent—designed to establish persistence, exfiltrate data, and communicate with command-and-control servers using TLS-encrypted WebSocket connections and layered RC4 encryption.This episode covers:Anatomy of the NimDoor Infection Chain: How Telegram lures and fake SDKs lead to multi-stage infections on macOS.Advanced Persistence via Signals: A rare signal-based persistence mechanism enables NimDoor to reinstall itself if terminated—an unusually resilient feature for macOS malware.Targeted Data Theft: NimDoor steals sensitive browser data, cryptocurrency wallet credentials, Telegram's encrypted databases, macOS Keychain items, and even command histories.Why Nim Matters: The use of Nim, a lesser-known and rarely detected language in malware development, allows attackers to evade traditional antivirus and EDR solutions while enabling sophisticated binary construction.North Korea’s Cyber Objectives: The Lazarus Group and its affiliated APTs are not just stealing information—they are funneling stolen cryptocurrency to fund the North Korean regime, bypassing sanctions.macOS as a Target: This attack busts the myth of Apple’s invincibility, illustrating how macOS is now firmly in the crosshairs of nation-state threat actors.Modular...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}