A sophisticated new MacOS malware campaign, dubbed NimDoor, has been uncovered by SentinelOne, linking its operations to the North Korea-affiliated Stardust Chollima group (also known as TA444, APT38, and BlueNoroff).
Targeting Web3 and cryptocurrency organizations, NimDoor stands out for leveraging binaries compiled in the Nim programming language a rarity on MacOS that complicates detection and static analysis.
Active since at least April 2025, the campaign demonstrates advanced social engineering, technical innovation, and persistent threat to high-value financial targets.
Social Engineering with Fake Zoom SDK Updates
NimDoor’s infection chain originates from social engineering on Telegram, a platform favored by crypto professionals.
Attackers painstakingly impersonate trusted contacts, inviting victims to schedule Zoom meetings via Calendly.
Following this initial engagement, victims receive a crafted email containing a malicious AppleScript disguised as a “Zoom SDK update.”
A minor yet telling typo in the script’s comment referring to “Zook” instead of “Zoom” has assisted researchers in its identification.
Once executed, the script launches a multi-stage infection, deploying two Mach-O binaries: a C++ binary for immediate payload decryption and theft, and a Nim-compiled installer responsible for deeper system compromise.
NimDoor’s innovation lies in its use of Nim for implementation a language choice that interweaves developer and runtime code at compile time, thwarting traditional static analysis methods.
According to Polyswarm Report, this mirrors earlier North Korean ventures with cross-platform languages like Go and Rust, increasingly adopted for their evasion potential.
Beyond the unusual language choice, NimDoor employs process injection (still rare on MacOS) and communicates covertly with its command-and-control (C2) servers via TLS-encrypted WebSockets (wss).
Its AppleScript component, hex-encoded to resist detection, beacons to two hardcoded C2 addresses every 30 seconds, transmitting live process lists and accepting remote scripts for execution.
Persistence is maintained through a novel mechanism: a SIGINT/SIGTERM signal handler.
If administrators attempt to terminate NimDoor or the system reboots, this signal handler reinstalls the malware, making it exceptionally challenging to eradicate a first in the MacOS malware landscape.
To guarantee broader reach, the installer also deploys the “GoogIe LLC” (intentionally misspelled) and “CoreKitAgent” binaries, both registered as LaunchAgents, helping the malware survive reboots and user logouts.
Information Theft
Once embedded, NimDoor launches Bash scripts to exfiltrate a wide array of sensitive data.
Its primary targets are MacOS Keychain credentials, local browser stores (covering Chrome, Safari, Firefox, Brave, Arc, and Edge), and Telegram messaging databases each of which may harbor cryptocurrency wallet access, personal secrets, and business-critical credentials.
During this exfiltration stage, attackers distract victims with genuine Zoom meetings to deflect suspicion and buy time for data theft.
Attribution points strongly to Stardust Chollima, a threat actor operating under the aegis of North Korea’s Reconnaissance General Bureau.
Known for elaborate spear-phishing, use of deepfake technology, and tailored malware disguised as legitimate software, the group targets cryptocurrency exchanges, blockchain projects, and tech firms worldwide, especially in the US, Europe, South Korea, and Japan.
Financial theft and intelligence gathering to circumvent global sanctions remain the group’s primary objectives.
NimDoor’s emergence signals a rising trend of targeted MacOS attacks in the crypto sector, blending social, technical, and operational sophistication.
Security teams operating in crypto, fintech, and related sectors are urged to maintain heightened vigilance and adopt threat-hunting measures tailored to cross-platform, signal-resilient malware.
Indicators of Compromise (IOC)
| SHA256 Hash |
|---|
| bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc |
| 0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df |
| 9c48e2a01d852e08f923a4638ef391b6f89f263558cf2164bf1630c8320798c1 |
| e6a7c54c01227adcb2a180e62f0082de1c13d61ae913cda379dd0f44a0d0567b |
| 64c9347d794243be26e811b5eb90fb11c8e74e8aff504bf98481e5ccf9d72fe9 |
| 469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f |
| 41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f |
| 69a012ff46565169534ccefb175f87b3cc331b4f94cc5d223c29a036ed771f4e |
| 74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a |
| ea8a58bbb6d5614855a470b2d3630197e34fc372760b2b7fa27af8f3456525a6 |
| 7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
