A complicated MacOS malware marketing campaign dubbed NimDoor has emerged, focusing on Web3 and cryptocurrency organizations by weaponized Zoom SDK updates.
The malware, attributed to North Korea-linked risk actors doubtless related to Stardust Chollima, represents a big evolution in offensive capabilities in opposition to MacOS methods, having been lively since not less than April 2025.
The assault orchestration begins with elaborate social engineering techniques the place risk actors impersonate trusted contacts on Telegram, inviting victims to schedule Zoom conferences through Calendly.
Victims subsequently obtain malicious emails containing AppleScript disguised as reliable “Zoom SDK updates.”
The malware’s creators inadvertently left identification markers, together with a deliberate typo altering “Zoom” to “Zook” in script feedback, which aids in detection and evaluation.
PolySwarm analysts recognized NimDoor’s distinctive utilization of the Nim programming language, a uncommon selection for MacOS malware that complicates static evaluation by compile-time execution mechanisms.
This strategic language choice interleaves developer and runtime code, creating analytical obscurity that hinders conventional detection methodologies.
Upon execution, NimDoor triggers a multi-stage an infection deploying two distinct Mach-O binaries: a C++ binary chargeable for payload decryption and information theft operations, and a Nim-compiled “installer” that establishes persistence parts.
The malware deploys intentionally misspelled parts together with “GoogIe LLC” and “CoreKitAgent” to evade suspicion whereas sustaining system persistence by LaunchAgent mechanisms.
Superior Persistence and Communication Mechanisms
NimDoor introduces a groundbreaking persistence mechanism using SIGINT/SIGTERM sign handlers, marking the primary documented occasion of such strategies in MacOS malware.
This novel method ensures computerized malware reinstallation upon termination makes an attempt or system reboots, considerably enhancing operational longevity.
The malware establishes command-and-control communications by TLS-encrypted WebSocket protocols, with hex-encoded AppleScript parts beacons transmitting each 30 seconds to hardcoded servers.
These communications exfiltrate working course of lists whereas enabling distant script execution capabilities, successfully making a persistent backdoor into compromised methods.
— Pattern AppleScript construction (Word: “Zook” typo for identification)
— Zoom SDK Replace Script
— Deploys Mach-O binaries for multi-stage an infection
The malware’s information exfiltration capabilities goal important belongings together with Keychain credentials, browser information throughout a number of platforms (Chrome, Firefox, Courageous, Arc, Edge), and Telegram databases containing cryptocurrency pockets data and delicate communications.
Increase detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
