Upon execution, NimDoor triggers a multi-stage infection deploying two distinct Mach-O binaries: a C++ binary responsible for payload decryption and data theft operations, and a Nim-compiled “installer” that establishes persistence components. The malware, attributed to North Korea-linked threat actors likely associated with Stardust Chollima, represents a significant evolution in offensive capabilities against MacOS systems, having been active since at least April 2025. The malware’s data exfiltration capabilities target critical assets including Keychain credentials, browser data across multiple platforms (Chrome, Firefox, Brave, Arc, Edge), and Telegram databases containing cryptocurrency wallet information and sensitive communications. The malware deploys deliberately misspelled components including “GoogIe LLC” and “CoreKitAgent” to evade suspicion while maintaining system persistence through LaunchAgent mechanisms. PolySwarm analysts identified NimDoor’s unique utilization of the Nim programming language, a rare choice for MacOS malware that complicates static analysis through compile-time execution mechanisms. The malware’s creators inadvertently left identification markers, including a deliberate typo changing “Zoom” to “Zook” in script comments, which aids in detection and analysis. NimDoor introduces a groundbreaking persistence mechanism utilizing SIGINT/SIGTERM signal handlers, marking the first documented instance of such techniques in MacOS malware. A sophisticated MacOS malware campaign dubbed NimDoor has emerged, targeting Web3 and cryptocurrency organizations through weaponized Zoom SDK updates. The malware establishes command-and-control communications through TLS-encrypted WebSocket protocols, with hex-encoded AppleScript components beacons transmitting every 30 seconds to hardcoded servers. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These communications exfiltrate running process lists while enabling remote script execution capabilities, effectively creating a persistent backdoor into compromised systems. The attack orchestration begins with elaborate social engineering tactics where threat actors impersonate trusted contacts on Telegram, inviting victims to schedule Zoom meetings via Calendly. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This novel approach ensures automatic malware reinstallation upon termination attempts or system reboots, significantly enhancing operational longevity. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 15:50:15 +0000