North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.
Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.
Advanced macOS malware
In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice."
One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries – 'GoogIe LLC,' 'CoreKitAgent', onto the victim’s system.
GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.
The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS’s kqueue mechanism to asynchronously manage execution.
It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions.
The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
Source: SentinelLABS
These are signals typically used to terminate processes, but when either is caught, CoreKitAgent triggers a reinstallation routine that re-deploys GoogIe LLC, restoring the persistence chain.
"When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan, setting executable permissions on the latter two via the addExecutionPermissions_user95startup95mainZutils_u32 function," explains SentinelLABS.
"This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."
Source: SentinelLABS
CoreKitAgent decodes and runs a hex-encoded AppleScript that beacons to attacker infrastructure every 30 seconds, exfiltrates system data, and executes remote commands via osascript, providing a lightweight backdoor.
Parallel to the NimDoor execution, 'zoom_sdk_support.scpt‘ triggers a second injection chain involving ‘trojan1_arm64‘, which initiates WSS-based C2 communications and downloads two scripts (upl and tlgrm) that facilitate data theft.
In the case of the 'zoom_sdk_support.scpt' loader, the researchers noticed that it includes more than 10,000 blank lines for obfuscation purposes.
Upl extracts data from web browsers and grabs Keychain, .bash_history, and .zsh_history, and exfiltrates it using curl to dataupload[.]store.
Tlgrm focuses on stealing the Telegram database along with .tempkeyEncrypted, likely using those to decrypt messages the target exchanged on the platform.
Source: SentinelLABS
Overall, the NimDoor framework and the rest of the backdoors SentinelLABS analyzed are soome of the most complex macOS malware families linked to North Korean threat actors.
The malware's modularity, which gives it flexibility, and the use of novel techniques like signal-based persistence indicate that DPRK operators evolve their toolkit to extend their cross-platform capabilities.
SentinelLABS' report includes indicators of compromise for the domains, file paths, scripts, and binaries the North Korean threat actor used in attacks aimed at stealing cryptocurrency assets and sensitive information.
8 Common Threats in 2025
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
Related Articles:
North Korean hackers deepfake execs in Zoom call to spread Mac malware
Hackers use fake Ledger apps to steal Mac users’ seed phrases
U.S. warns of Iranian cyber threats on critical infrastructure
New wave of ‘fake interviews’ use 35 npm packages to spread malware
Malware on Google Play, Apple App Store stole your photos—and crypto
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
