A newly observed campaign by North Korean (DPRK)-linked threat actors is raising alarms across the Web3 and cryptocurrency ecosystem, as multiple reports confirm the use of sophisticated, cross-platform malware targeting macOS environments.
According to SentinelLABS and corroborated by researchers at Huntabil.IT and Huntress, the attackers are deploying a multi-stage infection chain that skillfully combines C++, Nim-compiled binaries, AppleScript, and Bash scripts, marking a significant evolution in the DPRK’s macOS attack arsenal.
DPRK-Linked Campaign Targets Web3
The campaign’s initial access vector reuses a well-worn social engineering tactic: impersonating trusted contacts via Telegram and business meeting platforms like Calendly.
Victims are lured into running a rogue “Zoom SDK update script,” which is actually a heavily padded AppleScript file padded with up to 10,000 lines of whitespace to obscure malicious code.
The script, hosted on attacker-controlled domains mimicking Zoom infrastructure, fetches and executes a second-stage payload, eventually launching a complex series of infection routines.
Upon execution, two Mach-O binaries one C++ and one Nim are downloaded into temporary directories.
The C++ binary, ad hoc signed as InjectWithDyldArm64, decrypts and injects a second-stage payload into a benign process, using POSIX process injection techniques and entitlements rarely seen in the macOS malware landscape.
Once injected, the malicious code establishes encrypted remote communications over wss (WebSocket Secure) an unusual but effective channel for command and control, as it is hard to inspect and rarely monitored at the endpoint level.
Technical Progression
The malware’s modular design allows for extensive data exfiltration using Bash scripts that target browser caches, local Telegram data, and crucially, macOS Keychain files.
Credential, chat, and history data are packaged and exfiltrated to attacker infrastructure using obfuscated curl uploads.
Meanwhile, initial AppleScripts serve as lightweight beacons and persistent backdoors, polling attacker servers for command execution.
Nim-compiled binaries named with deceptive intent, such as “GoogIe LLC” (capital ‘i’ instead of ‘l’) are used to establish persistence, notably deploying a novel technique that leverages SIGINT and SIGTERM signal handlers.
When attempts are made to terminate the malware or reboot the system, these handlers reinstall persistence components, defeating basic defensive efforts.
According to the Report, The CoreKitAgent module, the campaign’s most advanced Nim binary, uses macOS’s kqueue mechanism and a state-machine-driven execution flow, making analysis and detection more challenging.
It further complicates sandboxing attempts with asynchronous sleep routines and heavy string obfuscation.
Embedded AppleScripts decoded at runtime serve as both beaconing agents and further backdoors, communicating regularly with hardcoded C2 domains, and executing attacker-supplied scripts on demand.
The attack, referred to as “NimDoor,” stands out in the macOS threat landscape for its technical sophistication, cross-platform modularity, and persistent abuse of legitimate system components.
As macOS malware authors increasingly adopt niche languages like Nim, defenders must rapidly adapt detection strategies to keep pace with adversary innovation.
Key Indicators of Compromise (IOC)
| Type | Identifier/Value | Description |
| Domains | dataupload[.]store | Upl/tlgrm C2 |
| firstfromsep[.]online | netchk C2 | |
| safeup[.]store / writeup[.]live | CoreKit C2 | |
| support[.]us05web-zoom[.]pro/.forum/.cloud/.online | Zoom/AppleScript C2 infrastructure | |
| File Paths | ~/Library/Application Support/Google LLC/GoogIe LLC | Payload location |
| ~/Library/LaunchAgents/com.google.update.plist | Persistence Plist | |
| ~/.ses | Embedded AppleScript location | |
| ~/Library/DnsService/a, ~/Library/DnsService/netchk | Binaries | |
| /private/tmp/.config, /private/tmp/cfg | Config files | |
| Binaries (SHA-1) | 027d4020f2dd1eb473636bc112a84f0a90b6651c, 2c0177b302c4643c49dd7016530a4749298d964c | trojan1_arm64, CoreKitAgent |
| Scripts | 023a15ac687e2d2e187d03e9976a89ef5f6c1617, 4743d5202dbe565721d75f7fb1eca43266a652d4 | zoom_sdk_support.scpt, upl |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
-linked%20threat%20actors%20is%20raising%20alarms%20across%20the%20Web3%20and%20cryptocurrency%20ecosystem.){kind=link}