GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages. SentinelLABS' report includes indicators of compromise for the domains, file paths, scripts, and binaries the North Korean threat actor used in attacks aimed at stealing cryptocurrency assets and sensitive information. "When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan, setting executable permissions on the latter two via the addExecutionPermissions_user95startup95mainZutils_u32 function," explains SentinelLABS. Overall, the NimDoor framework and the rest of the backdoors SentinelLABS analyzed are soome of the most complex macOS malware families linked to North Korean threat actors. The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution. Parallel to the NimDoor execution, 'zoom_sdk_support.scpt' triggers a second injection chain involving 'trojan1_arm64', which initiates WSS-based C2 communications and downloads two scripts (upl and tlgrm) that facilitate data theft. North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations. These are signals typically used to terminate processes, but when either is caught, CoreKitAgent triggers a reinstallation routine that re-deploys GoogIe LLC, restoring the persistence chain. CoreKitAgent decodes and runs a hex-encoded AppleScript that beacons to attacker infrastructure every 30 seconds, exfiltrates system data, and executes remote commands via osascript, providing a lightweight backdoor. The malware's modularity, which gives it flexibility, and the use of novel techniques like signal-based persistence indicate that DPRK operators evolve their toolkit to extend their cross-platform capabilities. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff. Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Jul 2025 19:40:19 +0000