A new malware called NimDoor is making waves in the Apple world. This malware is different from what we usually see on macOS. It targets people who work with Web3 technologies and cryptocurrency, trying to steal their private information and money.
The attackers begin by pretending to be someone the victim knows. They contact the victim through Telegram, a popular messaging app. They then suggest a fake business meeting and send what looks like a normal Zoom invitation. But instead of a real meeting, they trick people into downloading a dangerous file.
This file is disguised as a “Zoom SDK update script,” which sounds official. The download link comes from a fake website that looks very close to Zoom’s real support page. Once the victim downloads and runs this file, the malware silently gets into the system and begins its work.
What makes NimDoor especially dangerous is how deeply it hides inside the computer. It doesn’t behave like most other Mac viruses. Instead of being easy to spot, it uses a secret method called process injection. This allows the malware to sneak into other apps running on the Mac, so it can hide and keep working without being noticed.
Smart Coding and Stealthy Behavior
The malware is built using several programming languages. It uses AppleScript to enter the system, C++ to inject its code into other apps, and a rare language called Nim to run its main features. This combination makes it hard for security tools to understand what the malware is doing.
One clever feature of NimDoor is how it avoids being shut down. Normally, if someone finds a virus, they can force it to stop running. But NimDoor has a secret trick. It listens for system signals that usually tell programs to shut down — like SIGINT and SIGTERM.
To make sure it starts every time the computer is turned on, the malware places a file in the LaunchAgents folder. This is a normal part of macOS that allows apps to open automatically when the computer starts.
What the Malware Tries to Steal
Once NimDoor is running on the victim’s Mac, it begins its main mission — stealing private data. One of the first things it does is try to grab Keychain credentials. Keychain is Apple’s system that stores all your passwords, so if hackers get into it, they can access your emails, bank accounts, and more.
The malware also goes after web browsers. It looks inside popular apps like Google Chrome and Firefox to collect saved passwords and browsing history. It can even spy on Telegram messages to steal sensitive conversations.
All this stolen data is sent back to the hackers using the encrypted channel mentioned earlier. Because of the advanced encryption, even companies that monitor internet traffic might not notice that something bad is happening.
This level of technical skill is rare in macOS malware. It shows that the people behind NimDoor spent a lot of time making sure their malware could stay hidden, work efficiently, and avoid being removed. From its fake Zoom invite to its secret updates and encrypted messages, NimDoor is one of the most advanced macOS threats seen in recent years.
Apple users — especially those in crypto and Web3 spaces — are the main targets. The malware is designed to blend in, act like a normal part of the system, and steal valuable information without raising red flags.
