Post

North Korea-Linked Threat Actors Deploy macOS NimDoor Malware via Fake Zoom Updates

North Korea-Linked Threat Actors Deploy macOS NimDoor Malware via Fake Zoom Updates

TL;DR

North Korean hackers are targeting Web3 and cryptocurrency firms using a sophisticated macOS backdoor, disguised as fake Zoom updates. The malware, known as NimDoor, spreads through phishing links on Calendly and Telegram, stealing sensitive data and maintaining persistence on infected systems. This campaign highlights the evolving tactics of North Korean threat actors and the need for heightened security measures in the crypto industry.

Main Content

North Korea-Linked Hackers Use Fake Zoom Updates to Spread macOS NimDoor Malware

North Korea-linked threat actors are targeting Web3 and cryptocurrency firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update1.

Phishing and Malware Deployment

Victims are tricked into installing the malware through phishing links sent via Calendly or Telegram. NimDoor is written in Nim, uses encrypted communications, and steals data like browser history and Keychain credentials1. The malware can persist on systems, reinfect itself if killed, and mimics legitimate AppleScript tools to avoid detection1.

Key Points from SentinelOne’s Analysis:

  • Process Injection and Encrypted Communications: Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol1.

  • Targeted Attacks on Web3 Startups: In April 2025, a Web3 startup was targeted by a North Korea-linked APT group using social engineering and fake Zoom updates2. The NimDoor malware is a rare mix of AppleScript, C++, and Nim, featuring encrypted configs, async execution, and a unique signal-based persistence2.

Attack Chain and Malware Behavior

The attack chain in recent NimDoor attacks starts with fake Zoom invites via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt” with 10,000 lines of padding and a typo (“Zook”), hiding its true function. The script fetches a second-stage payload from lookalike domains mimicking real Zoom URLs, launching the core malware. This indicates a broader, targeted campaign with custom links per victim1.

Threat actors dropped two Mach-O binaries (a in C++, installer in Nim) to /tmp, triggering separate infection chains. a decrypts malware for data theft, including browser and Telegram data, while installer ensures persistence with deceptive Nim binaries. The malware uses rare macOS injection, complex encryption, and WebSocket C2 comms to exfiltrate system and user data1.

Detailed Analysis by SentinelLABS:

  • Decryption and Persistence: The analysis shows that the process is used to decrypt two embedded binaries. The first carries an ad hoc signature and the identifier Target. The second has an ad hoc signature with the identifier trojan1_arm64. The Target binary is benign and appears to do nothing other than generate random numbers1.

  • Entitlements for Injection: This kind of process injection technique is rare in macOS malware and requires specific entitlements to be performed. In this case, the InjectWithDyldArm64 binary has the following entitlements to allow the injection:

    • com.apple.security.cs.debugger
    • com.apple.security.get-task-allow1

The two payloads maintain persistence by using signal handlers to catch SIGINT and SIGTERM termination signals and redeploy core malware components. These signals handle user or system attempts to terminate a process1.

Conclusion from SentinelOne:

SentinelLABS’ analysis of NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts. North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim’s unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level1.

Follow for More Updates

Follow me on Twitter: @securityaffairs, Facebook, and Mastodon.

For more details, visit the full article: source

Conclusion

The NimDoor malware campaign highlights the evolving tactics of North Korean threat actors, underscoring the need for enhanced security measures in the crypto industry. As threat actors continue to innovate, staying informed and proactive is crucial for protecting against such sophisticated attacks.

References

  1. SentinelOne (2025). “macOS NimDoor: DPRK threat actors target Web3 and crypto platforms with Nim-based malware”. SentinelOne Labs. Retrieved 2025-07-05. ↩︎ ↩︎2 ↩︎3 ↩︎4 ↩︎5 ↩︎6 ↩︎7 ↩︎8 ↩︎9 ↩︎10

  2. Huntability (2025). “Threat Note: North Korea-linked APT group targets Web3 startup”. Huntability Tech. Retrieved 2025-07-05. ↩︎ ↩︎2

This post is licensed under CC BY 4.0 by the author.