SentinelLABS analyzed NimDoor, a DPRK-linked macOS malware campaign targeting Web3 and cryptocurrency businesses through social engineering and fake Zoom update lures. The infection chain uses AppleScript, C++, Bash, and Nim-compiled Mach-O binaries, with Telegram impersonation, Calendly meeting pretexts, and attacker domains resembling legitimate Zoom infrastructure. The malware shows unusual macOS tradecraft, including process injection into a suspended process, WebSocket-over-TLS command-and-control, encrypted configuration handling, and signal-handler-based persistence. Follow-on scripts collect Keychain, browser, Telegram, and system data from staging paths such as ~/Library/DnsService, making the campaign significant for crypto organizations that rely on macOS developer workstations.