248/68 Tuesday, July 8, 2025
Cybersecurity experts from SentinelOne have issued a warning regarding a threat group linked to North Korea that is actively targeting Web3 and cryptocurrency companies. The group is distributing a macOS malware known as NimDoor, disguised as a fake Zoom update. The malware is written in the Nim programming language, which is rarely seen in macOS malware, and includes advanced capabilities such as encrypted WebSocket (wss) communication, data theft from the Keychain and browsers, and automatic reinstallation if removed.
The attack campaign typically begins with phishing links sent via Telegram or Calendly, luring victims into downloading a script named “zoom_sdk_support.scpt” which contains an embedded payload. When executed, the script connects to a spoofed Zoom domain such as support.us05web-zoom[.]forum to download a second-stage malware. NimDoor then drops two Mach-O files (‘a’ and ‘installerì’) into the /tmp directory. The ‘a’ file is responsible for decrypting and stealing data from browsers and Telegram, while ‘installerì’ ensures persistence by using rarely seen process injection techniques on macOS, along with special entitlements like com.apple.security.cs.debugger and com.apple.security.get-task-allow.
Researchers found that NimDoor is designed with a multi-stage architecture, employing multiple layers of encryption and signal handlers to respond to system interrupts like SIGINT and SIGTERM, allowing it to restart itself if terminated. The use of the Nim language further complicates reverse engineering, making analysis more difficult.
SentinelLABS reports that North Korean threat actors are evolving their tactics, increasingly using cross-platform programming languages such as Go, Rust, and now Nim to increase malware complexity and evade detection systems.
