macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

July 4, 2025, 10:14 a.m.

Description

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.

External References

https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware
https://otx.alienvault.com/pulse/6867a14ec736faf23ba172a2
Tags
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor

Date

  • Created: July 4, 2025, 9:39 a.m.
  • Published: July 4, 2025, 9:39 a.m.
  • Modified: July 4, 2025, 10:14 a.m.

Indicators

  • 469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
  • support.us06web-zoom.online
  • support.us05web-zoom.pro
  • support.us05web-zoom.forum
  • support.us05web-zoom.cloud
  • writeup.live
  • safeup.store
  • dataupload.store
  • firstfromsep.online
Download all indicators here!

Attack Patterns

  • NimDoor
  • DPRK

Additional Informations

  • Technology
  • Finance