The malware, designated as NimDoor by security researchers, represents a significant evolution in macOS threats through its use of process injection capabilities and encrypted WebSocket communications to steal sensitive user credentials and financial data. SentinelOne analysts identified that the malware employs a rare process injection technique on macOS, utilizing specialized system entitlements typically reserved for debugging tools to inject malicious code into legitimate processes. This encrypted communication channel enables the malware to exfiltrate stolen Keychain credentials, browser data from major applications including Chrome and Firefox, and Telegram chat histories while maintaining operational security against network monitoring tools. When a user or system attempts to kill the malware through standard methods, these signal handlers trigger instead of allowing the process to terminate. The CoreKitAgent component establishes signal handlers for both SIGINT (interrupt signal) and SIGTERM (termination signal), effectively intercepting attempts to terminate the malware process. The malware then uses this interruption as an opportunity to reinstall itself, writing a LaunchAgent to ~/Library/LaunchAgents/com.google.update.plist and copying its components to ensure persistence across system reboots. A sophisticated new macOS malware campaign has emerged targeting Web3 and cryptocurrency platforms, employing advanced techniques rarely seen in Apple’s ecosystem. The attack chain deploys multiple components written in different programming languages, including AppleScript for initial access, C++ for process injection, and uniquely, Nim-compiled binaries for core functionality. The malware communicates with its command and control infrastructure using WebSocket Secure (wss) protocol at wss://firstfromsep[.]online/client, employing multiple layers of RC4 encryption combined with base64 encoding. Rather than relying on traditional persistence methods like LaunchAgents or Login Items, NimDoor implements a novel approach that monitors system signals to maintain its presence on infected machines. The attack campaign begins with a familiar social engineering approach, where North Korean threat actors impersonate trusted contacts through Telegram messaging to arrange fake business meetings. This diverse technological approach demonstrates the threat actors’ commitment to developing sophisticated tooling that can effectively compromise modern macOS systems while remaining difficult to analyze and detect. This approach allows the malware to operate with increased stealth and persistence while evading traditional detection mechanisms. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Jul 2025 04:25:12 +0000