North Korean hackers are actively launching Web3 attacks using Nim malware in their latest cyber operations. This North Korean Hackers Web3 Attack is part of a highly sophisticated campaign targeting cryptocurrency platforms, macOS systems, and national security experts. The attackers are using social engineering and advanced malware to steal data and maintain long-term system access.
Researchers from SentinelOne, Phil Stokes and Raffaele Sabato, revealed that the malware uses process injection and secure WebSocket (wss) communications on macOS—an unusual and advanced method. The malware also features a persistence mechanism that automatically reinstalls itself if terminated or when the system reboots.
This new malware, named NimDoor, uses social engineering to approach victims on messaging platforms like Telegram. Attackers schedule fake Zoom meetings using Calendly and send emails with links that appear to update the Zoom SDK. Once clicked, an AppleScript downloads additional malware while redirecting the user to a legitimate Zoom page.
The malware downloads ZIP files containing:
A C++ loader: InjectWithDyldArm64
Embedded binaries: Target and trojan1_arm64
The loader decrypts and injects malicious code into suspended processes, which are later resumed to execute further attacks.
System reconnaissance
Command execution
Directory modification
Credential theft from browsers (Arc, Brave, Chrome, Edge, Firefox)
Telegram data extraction
It also launches a CoreKitAgent, ensuring that the malware remains active even if the user attempts to terminate it. The system beacons out every 30 seconds to hardcoded Command-and-Control (C2) servers, constantly exfiltrating data and receiving additional commands.
Meanwhile, cybersecurity company Genians uncovered the ongoing use of the ClickFix social engineering strategy by the North Korean hacking group Kimsuky as part of their BabyShark campaign.
Spear-phishing emails pretending to be interview requests from reputable organizations.
Malicious RAR archives containing Visual Basic Scripts (VBS) that open decoy Google Docs while installing malware.
Fake CAPTCHA verification pages that trick users into executing PowerShell commands.
Phishing emails impersonating national security officials to lure victims into opening password-protected PDF or HWP files.
Malware disguised as job opportunities on fake defense research portals.
Instructions to install Chrome Remote Desktop, granting attackers remote access via C2 servers.
Further investigations revealed the use of GitHub and Dropbox to distribute malware such as Xeno RAT and its variant MoonPeak. Attackers used GitHub Personal Access Tokens (PATs) to manage malware deployment and collect stolen data from victims.
Use of multi-stage PowerShell scripts
Fake documents to distract users while executing malicious code
Persistent backdoors using legitimate software like AnyDesk
Weaponized compressed archives containing Windows shortcut (LNK) files
Kimsuky has been one of the most active Advanced Persistent Threat (APT) groups from North Korea, frequently changing tools and attack methods. According to NSFOCUS, Kimsuky and Konni accounted for 5% of all APT activities recorded in May 2025.
Emerging Threats: North Korean hackers are actively targeting Web3, cryptocurrency, and macOS users.
Social Engineering: Tactics like ClickFix, fake job portals, and phishing remain their primary entry points.
Persistent Malware: The use of signal handlers, process injections, and public platforms like GitHub makes these attacks more resilient.
Advanced Payload Delivery: Multi-stage attacks utilizing PowerShell, AppleScript, and remote desktop tools ensure long-term system compromise.
At CCIE Academy, we emphasize the importance of cybersecurity awareness and proactive defense strategies. The evolution of these attacks demonstrates that hackers are continually refining their techniques to bypass modern security measures.
Stay updated with the latest cybersecurity threats and best practices by following us at ccieacademy.org.
