NimDoor - The New macOS Malware That Revives Itself
SentinelOne's threat research team, led by Phil Stokes and Raffaele Sabato, has identified a sophisticated macOS malware campaign named NimDoor. This campaign, attributed to North Korean state-sponsored threat actors, specifically targets Web3 and cryptocurrency businesses.
In a significant departure from typical macOS threats, the attackers compile key components in the Nim programming language, implementing a multi-stage assault chain that blends social engineering, scripting, compiled binaries, and novel persistence techniques into a sophisticated attack campaign.
The campaign initiates with social engineering tactics executed over Telegram, a communication service favored by many cryptocurrency-adjacent businesses. The adversaries impersonate trusted contacts, inviting targets to schedule meetings via Calendly. These meetings occur on Zoom, with attackers distributing a deceptive "Zoom SDK update script" via email.
The script masquerades as legitimate but acts as the infection vector. SentinelOne observed the associated payload named zoom_sdk_support.scpt, heavily obfuscated with 10,000 blank lines and a telling typo ("Zook SDK Update").
This script retrieves a second-stage installer from a faux Zoom-like domain, like support.us05web-zoom[.]forum, replicating legitimate Zoom infrastructure. Similar domains, .pro, .cloud, and .online, provide evidence of a larger, coordinated campaign.
Once executed, the initial script downloads an HTML redirect name check, which embeds a genuine Zoom meeting link. By running this script through curl and AppleScript, the attackers ensure early-stage legitimacy while proceeding to deploy malicious binaries.
This careful choreography demonstrates the adversaries' intent to fool users and evade defensive mechanisms even before they have gained persistence on a victim's machine.
Post-execution, the attack branches into two parallel execution chains. One chain deploys a C++ based binary labeled "a" into /private/var/tmp. This universal binary, internally called InjectWithDyldArm64, proceeds to decrypt and deploy two additional binaries:
- First, a benign decoy (Target) and a malicious loader (trojan1_arm64). Using PBKDF2 with HMAC-SHA‑256 and AES-CBC encryptions, which InjectWithDyldArm64 decrypts.
- Second, malware injects trojan1_arm64 into a suspended process (Target) via posix_spawn and SIGCONT. Such process injection is rare on macOS and requires escalated privileges, such as those found in this binary.
Following the injection, trojan1_arm64 initiates encrypted communications with a command-and-control (C2) server over wss://, leveraging the TLS-secured WebSocket protocol. This is a highly unusual technique for macOS threats.
This component uses multi-layer RC4 and Base64 encryption and supports JSON‑formatted commands such as execCmd, getSysInfo, and setCwd, enabling remote execution and information gathering.
The second chain, initiated by a Nim-compiled binary named installer, sets up persistent mechanisms. This installer writes a LaunchAgent (com.google.update.plist) into the user's ~/Library/LaunchAgents and creates directories in ~/Library/CoreKit and ~/Library/Application Support/GoogIe LLC. The "GoogIe LLC" filename uses a deceptive uppercase "i" to appear legitimate.
This installer drops two additional Nim binaries: GoogIe LLC and CoreKitAgent. GoogIe LLC writes an encrypted configuration file (either at /private/tmp/cfg or /private/tmp/.config, depending on the variant), embedding environmental and hardcoded data. CoreKitAgent reads this file and spawns the LaunchAgent, providing persistence across logins and reboots.
CoreKitAgent is the attack's most complex stage. It includes an asynchronous event-driven state machine built around the Nim runtime and macOS queue. In one notable architecture, it installs SIGINT and SIGTERM handlers to detect user or system termination attempts.
Upon catching these signals, CoreKitAgent rewrites its LaunchAgent, reloads the loader and itself, and re-applies execute permissions. This ensures persistent infection even during and after removal attempts.
The malware also integrates an embedded AppleScript beacon. CoreKitAgent decodes this script from obfuscated hex, writes it to ~/.ses, and launches it via osascript.
The script periodically beacons (every 30 seconds) to hardcoded C2 domains, namely writeup[.]live and safeup[.]store, sending process listings to those hardcoded domains. It awaits and executes returned scripts, effectively functioning as a lightweight remote backdoor.
NimDoor Targets Web3 Applications
Having achieved persistence, the malware proceeds to data theft. trojan1_arm64 downloads two bash scripts: upl and tlgrm. The .upl script harvests browser data from the following browsers: Arc, Brave, Chrome, Edge, and Firefox. Keychain files and shell history are also harvested across both bash and zsh terminals.
It compresses this data and exfiltrates it to https://dataupload.store/uploadfiles. The tlgrm script targets Telegram's local database, postbox/db, and its encrypted key blob, sending stolen Telegram content to the same endpoint.
SentinelOne researchers highlight how Nim-as-a-language and script–binary hybrid attacks are emerging trends. Attackers previously used Go and Rust in macOS malware, but they've recently shifted to Nim, which enables compile-time execution and deeply integrated runtime code.
Pairing Nim binaries with AppleScript, RC4-based WSS communication, and signal-triggered persistence demonstrates a significant evolution of macOS threat techniques.
The discovery underscores a growing threat to high-value targets in the Web3 and crypto sectors. DPRK actors deploy a resilient, stealthy, adaptive attack chain by blending social engineering, process injection, encrypted communications, persistent LaunchAgents, scripting, and cross-stage encryption.
SentinelOne urges defenders to focus on key indicators of compromise—including suspicious LaunchAgents, unexpected AppleScript usage, wss connections from macOS binaries, and usage of obfuscated Nim-compiled code—when hunting for NimDoor.
This analysis further illustrates how adversaries have adopted less-familiar languages like Nim to outpace traditional detection techniques. Their use of signal-triggered persistence, encrypted WebSocket communication, and deployment of scripting and compiled components reveals a maturing, modular threat architecture.
As this campaign shows, defenders must invest in understanding emerging languages, macOS scripting and entitlements, and anomaly-based detection to counter these sophisticated threats.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion