<ul data-eligibleForWebStory="false"><li>North Korea-linked threat actors are spreading macOS NimDoor malware disguised as fake Zoom updates to target Web3 and crypto firms.</li><li>Victims are lured into installing the backdoor via phishing links sent through Calendly or Telegram, allowing the malware to steal data like browser history and Keychain credentials.</li><li>The malware, written in Nim, employs encrypted communications, can persist on systems, reinfect itself, and uses process injection techniques along with WebSocket C2 communications for exfiltration.</li><li>The attackers use a unique mix of AppleScript, C++, and Nim in the NimDoor malware, initiating attacks through fake Zoom invites, with two Mach-O binaries dropped to ensure persistence and data theft.</li></ul>

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

Discover more