NimDoor: North Korea’s Latest Cyber Exploit Targets Crypto

Uploaded on 2025-07-02 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, BUSINESS-Services-Financial

In April 2025, a wave of cyberattacks targeting Web3 and cryptocurrency businesses revealed a new weapon in the arsenal of North Korean threat actors: NimDoor, a macOS malware compiled in the Nim programming language.

Forensically dissected in this detailed report by researchers at SentinelOne's SentinelLabs, the campaign showcases the Democratic People’s Republic of Korea’s (DPRK) evolving tactics, blending social engineering, novel persistence mechanisms, and cross-platform coding to infiltrate high-value targets.

The use of Nim, a lesser-known computer language, alongside AppleScripts and encrypted WebSocket communications, marks a shift towards more complex and stealthy operations.

Social Engineering: A Familiar Opening

The attack begins with a tried-and-tested DPRK tactic: impersonating a trusted contact via Telegram to lure victims into scheduling a meeting through Calendly. Victims receive an email with a Zoom meeting link and instructions to run a fraudulent “Zoom SDK update script.” This script, hosted on attacker-controlled domains mimicking Zoom’s legitimate infrastructure (e.g., support.us05web-zoom[.]forum), is an AppleScript named *zoom_sdk_support.scpt*. Padded with 10,000 lines of whitespace to evade detection, it contains a typo—“Zook” instead of “Zoom”—revealing the attackers’ carelessness.

The script fetches a second-stage payload from a command-and-control (C2) server, initiating the infection chain.

NimDoor’s Technical Mastery

The campaign’s core innovation lies in its use of Nim-compiled binaries, a rarity in macOS malware. Two primary Mach-O binaries, *a* and *installer*, are dropped into /private/var/tmp. The *a* binary, written in C++, deploys an encrypted payload called *netchk*, which orchestrates data exfiltration. It uses a Password-Based Key Derivation Function 2 (PBKDF2) with the password “gift123$%^” to decrypt two embedded binaries: a benign *Target* binary and the malicious *trojan1_arm64*. The latter is injected into *Target* using a sophisticated process injection technique, enabled by specific macOS entitlements. This injected code communicates with a C2 server via TLS-encrypted WebSocket (wss), a method uncommon in macOS malware, employing multiple layers of RC4 encryption and JSON-formatted messages.

The *installer* binary, also Nim-compiled, sets up persistence by creating a LaunchAgent at ~/Library/LaunchAgents/com.google.update.plist. It deploys two additional Nim binaries: *GoogIe LLC* (with a deceptive capital “I” to mimic Google) and *CoreKitAgent*. These ensure long-term access, with *CoreKitAgent* using a state-driven kqueue mechanism and a novel persistence trick: it intercepts SIGINT and SIGTERM signals (triggered by user or system attempts to terminate the process) to redeploy its components, ensuring resilience against basic defensive measures.

Data Theft With Precision

NimDoor’s data-stealing capabilities are executed via two Bash scripts, *upl* and *tlgrm*. The *upl* script targets browser data from Arc, Brave, Firefox, Chrome, and Edge, as well as Keychain credentials and shell history files. These are compressed and exfiltrated to a C2 server at dataupload[.]store. The *tlgrm* script focuses on Telegram, stealing its encrypted database and decryption key for potential offline cracking.

Both scripts use near-identical exfiltration functions, indicating a streamlined approach to data theft.

AppleScript As Beacon & Backdoor

A standout feature is the use of AppleScript as a lightweight beacon and backdoor. Embedded in *CoreKitAgent*, an AppleScript at ~/.ses decodes hexadecimal strings to fetch the current timestamp, generate a unique ID, and beacon every 30 seconds to C2 servers (writeup[.]live or safeup[.]store). It lists running processes and executes any commands received, blending seamlessly with macOS’s native scripting environment to avoid detection.

Why Nim?

The choice of Nim, a language known for its compile-time execution and cross-platform compatibility, reflects DPRK actors’ shift towards tools that complicate analysis. Unlike Go or Rust, previously used by North Korean groups, Nim’s ability to interweave developer and runtime code obscures control flow, challenging reverse engineers.

Combined with macOS-specific features like AppleScript and signal handling, NimDoor demonstrates a calculated effort to exploit less-scrutinised technologies.

A Broader Campaign

SentinelLabs’ findings align with reports from Huntabil.IT and Huntress, which noted similar attack chains targeting Web3 firms. Parallel domains (e.g., support.us06web-zoom[.]online) suggest a broader campaign with tailored URLs for each victim. The infrastructure’s overlap with earlier DPRK operations, such as fake Zoom domains, ties NimDoor to established tactics while showcasing innovation in payload delivery and persistence.

Implications For Defenders

NimDoor’s complexity underscores the need for defenders to adapt to emerging languages and techniques. Its use of wss, process injection, and signal-based persistence highlights active development to bypass security measures.

SentinelLabs urges analysts to study Nim and similar languages, as their obscurity offers attackers an edge.

Indicators of compromise, including domains, file paths, and binary hashes, are provided to aid detection, but the campaign’s sophistication suggests DPRK actors will continue refining their skills, posing ongoing risks to high-value sectors like cryptocurrency.

Image: Ideogram

You Might Also Read:

North Korean Hackers For Hire:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.