NimDoor macOS Malware Exfiltrates Crypto Data, Sends USDC
Security firm SentinelLabs has uncovered NimDoor, a macOS malware campaign by North Korean–linked hackers targeting cryptocurrency firms. Attackers impersonated trusted contacts via Calendly and hosted a fake Zoom update on a cloned GitHub repo. Installing the bogus app delivers two obfuscated Nim-language binaries: one harvests system and browser data (Arc, Brave, Firefox, Chrome, Edge), while the other establishes persistent access and exfiltrates Telegram’s encrypted messages. NimDoor macOS malware immediately connects to C2 servers to siphon credentials and sensitive data. Blockchain investigator ZachXBT traced monthly transfers of 2.76 million USDC from Circle accounts to DPRK-linked developers—some tied to Tether-blacklisted addresses—highlighting operational funding behind the campaign. While infections remain isolated to select Web3 businesses, the incident underscores growing cybersecurity threats in the digital asset sector. Traders should verify Zoom updates through official channels, enable endpoint protection, check digital signatures, maintain current patches and conduct due diligence on project teams to mitigate risk.
Neutral
As a stablecoin, USDC’s peg to the U.S. dollar limits significant price swings, even amid concerns over its use for funding DPRK-linked malware operations. In the short term, traders may monitor any collateral or transparency issues at Circle but are unlikely to see major volatility. Over the long term, Circle’s reserves and regulatory compliance should help maintain USDC’s stability, keeping market impact neutral.