.jpg?w=696&resize=696,0&ssl=1 "Zoom SDK Exploit")
Security researchers have uncovered a sophisticated macOS malware campaign, dubbed NimDoor, in which North Korea-linked threat actors exploit fake Zoom SDK updates to steal sensitive data from cryptocurrency and Web3 organizations.
The malware, which has been active since at least April 2025, represents a significant evolution in North Korean cyber operations targeting the financial technology sector.
Social Engineering Through Trusted Platforms
The attack begins with an elaborate social engineering scheme where threat actors, likely affiliated with the Stardust Chollima group (also known as TA444, APT38, and BlueNoroff), impersonate trusted contacts on Telegram.
Victims receive invitations to schedule Zoom meetings through Calendly, followed by an email containing a malicious AppleScript disguised as a “Zoom SDK update.”
A telltale typo in the script’s comment section, reading “Zook” instead of “Zoom,” serves as a key identifier for security analysts.
Upon execution, the malicious script triggers a multi-stage infection process deploying two Mach-O binaries: a C++ binary responsible for payload decryption and data theft, and a Nim-compiled “installer” that establishes persistence.
The malware creates two components, “Google LLC” (deliberately misspelled) and “CoreKitAgent,” ensuring continued operation through a LaunchAgent mechanism.
Advanced Technical Capabilities
NimDoor’s technical sophistication lies in its use of the Nim programming language, which is rarely employed in macOS malware.
This choice complicates analysis due to Nim’s compile-time execution characteristics, which interleave developer and runtime code, making static analysis significantly more challenging.
The malware employs process injection techniques, uncommon on macOS platforms, and maintains communication with command-and-control servers through TLS-encrypted WebSocket connections.
A particularly novel feature is NimDoor’s persistence mechanism, which leverages SIGINT/SIGTERM signal handlers to reinstall the malware upon termination or system reboot, a first for macOS malware.
The malware beacons every 30 seconds to hardcoded C2 servers using hex-encoded AppleScript, transmitting running process lists and executing remote scripts as a backdoor.
Targeting Cryptocurrency Infrastructure
The malware’s data exfiltration capabilities are extensive, targeting Keychain credentials, browser data from Chrome, Firefox, Brave, Arc, and Edge, as well as Telegram databases containing potential cryptocurrency wallet information.
This focus aligns with North Korea’s broader strategy of generating revenue through cryptocurrency theft to circumvent international sanctions.
SentinelOne’s identification of NimDoor underscores the evolving threat landscape facing Web3 and cryptocurrency organizations.
The campaign’s sophistication, including the use of legitimate Zoom meetings as distractions during compromise, demonstrates the advanced tactics employed by state-sponsored threat actors.
Security professionals recommend heightened vigilance when processing unsolicited software updates, particularly those arriving through informal communication channels.
.jpg?resize=1600,900&ssl=1&description=Zoom SDK Exploit - Security researchers have uncovered a sophisticated macOS malware campaign, dubbed NimDoor, in which North Korea){kind=link}