A sophisticated campaign by North Korean (DPRK)-aligned threat actors targeting Web3 and cryptocurrency businesses has been uncovered, showcasing an alarming evolution in macOS malware tactics.
According to detailed analysis by SentinelLABS, alongside corroborating reports from Huntabil.IT and Huntress, the attackers deploy a multi-stage attack chain featuring Nim-compiled binaries, process injection techniques, and encrypted remote communications.
DPRK Threat Actors Target Web3
Dubbed “NimDoor,” this malware family leverages an eclectic mix of AppleScripts, Bash scripts, and binaries written in C++ and Nim to infiltrate systems, establish persistence, and exfiltrate sensitive data such as Keychain credentials, browser information, and Telegram user data.
First observed in targeted attacks in April 2025, this campaign highlights the growing complexity of threats aimed at macOS users in high-value industries.
The attack begins with a familiar social engineering tactic: impersonating a trusted contact via Telegram to lure victims into running a fake “Zoom SDK update script” hosted on deceptive domains mimicking legitimate Zoom infrastructure, such as support.us05web-zoom[.]forum.
This initial AppleScript retrieves secondary payloads, setting off two independent execution chains involving C++ and Nim binaries.
A notable C++ binary, identified as “a” or “InjectWithDyldArm64,” employs a rare process injection technique on macOS, requiring specific entitlements like com.apple.security.cs.debugger to inject malicious code into a benign process.
Persistence Mechanisms
The injected code, housed in a binary named “trojan1_arm64,” communicates with command-and-control (C2) servers using wss (TLS-encrypted WebSocket protocol), an uncommon choice for macOS malware, to receive commands and exfiltrate data.
Concurrently, Nim-compiled binaries like “installer,” “GoogIe LLC,” and “CoreKitAgent” orchestrate long-term persistence, utilizing a groundbreaking signal-based mechanism that intercepts SIGINT and SIGTERM signals to reinstall components upon termination or system reboot.
Additionally, Bash scripts like “upl” and “tlgrm” systematically steal browser data from applications like Chrome and Firefox, alongside Keychain credentials and Telegram databases, compressing and uploading them to C2 servers such as dataupload[.]store.
The use of Nim, a lesser-known programming language, introduces unique challenges for defenders due to its ability to execute functions at compile time, obscuring control flow and blending malicious logic with runtime code.
AppleScripts further serve as lightweight beacons and backdoors, contacting C2 servers like writeup[.]live every 30 seconds to relay system information and execute remote commands.
This blend of cross-platform languages, native macOS scripting, and innovative persistence techniques such as leveraging signal handlers and asynchronous execution demonstrates a clear intent to evade traditional security measures.
According to the Report, SentinelLABS warns that the adoption of unconventional languages like Nim and Crystal by threat actors is likely to increase, urging analysts and detection engineers to deepen their understanding of these tools.
As macOS becomes a more frequent target for state-sponsored actors, particularly in lucrative sectors like cryptocurrency, the need for advanced threat hunting and behavioral detection grows ever more critical to counter these evolving attack methodologies.
Indicators of Compromise (IoC)
| Category | Indicator | Description |
|---|---|---|
| Domains | dataupload[.]store | upl/tlgrm C2 |
| firstfromsep[.]online | netchk C2 | |
| safeup[.]store | CoreKit C2 | |
| FilePaths | ~/Library/Application Support/Google LLC/GoogIe LLC | Payload location |
| ~/.ses | AppleScript beacon | |
| Binaries (SHA-1) | 5b16e9d6e92be2124ba496bf82d38fb35681c7ad | a (universal) |
| Scripts (SHA-1) | 023a15ac687e2d2e187d03e9976a89ef5f6c1617 | zoom_sdk_support.scpt |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
