North Korea-linked operators, assessed in the excerpt as likely Stardust Chollima, used NimDoor macOS malware against Web3 and cryptocurrency organizations. The intrusion chain began with Telegram social engineering and fake Zoom meeting lures, then delivered a malicious AppleScript posing as a Zoom SDK update. Nim and C++ Mach-O binaries, LaunchAgent persistence, process injection, TLS-encrypted WebSocket C2, and signal-handler based reinstallation supported backdoor access and stealth. The malware stole Keychain credentials, browser data, Telegram databases, process lists, and other sensitive information, showing continued DPRK interest in macOS endpoints inside the crypto sector.