North Korean threat actors have upgraded their long-running “fake interview” malware campaign targeting the Web3, cryptocurrency, and blockchain industries, according to a detailed technical report by Sentinel One.
While the core social engineering strategy of posing as recruiters to lure victims into phony job interviews remains unchanged, the attackers have overhauled their malware toolkit by embracing new and niche programming languages such as Nim in a bid to bypass both human researchers and automated security defenses.
Attackers Adopt Nim Language
Since at least mid-2023, North Korean cyber operators, believed to be associated with state-sponsored groups, have targeted professionals in crypto startups by arranging fake interviews over Zoom.
Victims, enticed by the prospect of new employment, are prompted via email to install a purported “Zoom SDK update,” which is in fact a malicious payload.
When executed, the malware typically runs scripts and downloads additional components, compromising the victim’s macOS device and enabling attackers to steal e-wallet contents, browser credentials, and other sensitive information.
Sentinel One’s analysis, published on July 2, highlights that while the attack vector is familiar, the technical underpinnings have shifted dramatically.
The spear-phishing campaign now leverages binaries compiled in the relatively obscure Nim programming language, alongside a mixture of AppleScript and C++ components.
Nim, less widely used among cybersecurity professionals and not commonly covered by standard anti-malware solutions, provides an obfuscation layer that complicates both reverse engineering and signature-based detection.
This application of Nim is not just a novelty. By integrating such emerging languages into the attack chain, the hackers evade static and behavioral analysis used by many endpoint security products.
Sentinel One notes the threat group’s growing technical sophistication, with evidence of them rapidly prototyping malware in different programming environments likely aided by AI-powered coding tools, which accelerate the learning and porting process.
Complex Multi-Language Malware
The campaign itself specifically targets browser-stored credentials from browsers such as Chrome, Brave, Edge, Firefox, and Arc.
Attackers exfiltrate data from macOS Keychain, fetch Telegram user information including locally stored encrypted databases and message histories, and maintain persistence with backdoor commands to dump system or environment data.
Communication with command-and-control infrastructure is established over secure WebSocket (wss) connections, enhancing stealth and exfiltration reliability.
The use of multiple programming languages in a single malware chain is a rising trend, not unique to North Korean actors.
By blending languages like Bash, AppleScript, Java, Go, and now Nim, cybercriminals increase the challenge for defenders, who must contend with analyzing multifaceted payloads and attack flows.
This “polyglot malware” approach can render traditional detection methods and reverse engineering far less effective.
End-users particularly Apple users operating in the crypto and blockchain spheres face increased risk due to the malware’s ability to bypass established security guardrails.
Many anti-malware solutions may not yet recognize Nim-based binaries or scripts compiled in less common environments.
As a result, even vigilant users may find it difficult to detect or respond to breaches unless they observe strict cybersecurity hygiene.
Sentinel One reports that the phishing emails typically instruct victims to follow links closely resembling legitimate Zoom domains, such as “support.us05web-zoom[.]forum” or “support.us05web-zoom[.]pro.”
The firm advises users to only install updates from official channels and remain cautious of unsolicited interview requests or software update prompts, especially in the context of job applications or recruitment outreach.
Ultimately, the essence of the attack is unchanged: victims are compromised via social engineering.
While technical countermeasures strive to keep pace with the evolving malware landscape, user awareness and skepticism toward unsolicited software installations remain the most reliable line of defense.
As threat actors continue to embrace new programming languages and AI-driven development techniques, the cybersecurity community is likewise urged to enhance detection strategies and research capabilities in lesser-known programming environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
