Full Report
NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.
Analysis Summary
# Threat Actor: Unnamed DPRK Threat Actor Group (Associated with NimDoor activity)
## Attribution & Identity
Attributed to Democratic People's Republic of Korea (DPRK) threat actors. This activity appears to be linked to previously reported activity hitting Web3 platforms, potentially overlapping with groups like BlueNoroff based on related reports mentioned. The specific malware family is referred to as **NimDoor**.
## Activity Summary
The actors run a campaign primarily targeting Web3 and Cryptocurrency-related businesses. The attack chain starts with social engineering via Telegram, impersonating a trusted contact to schedule a meeting via Calendly. Victims are then emailed a lure containing a Zoom meeting link and instructions to run a fake "Zoom SDK update script" (`zoom_sdk_support.scpt`). This AppleScript retrieves and executes follow-on scripts from a C2 server. The attack utilizes a complex, multi-staged infection process involving AppleScript, C++, and novel Nim-compiled binaries.
## Tactics, Techniques & Procedures
- **Initial Access:** Social engineering over Telegram; Lure documents instructing victims to execute an AppleScript disguised as a "Zoom SDK update script."
- **Execution:** Use of heavily padded AppleScripts (10,000 lines of whitespace) for obfuscation. The script retrieves and executes a second-stage script from a remote server.
- **Payload Delivery:** Downloads two primary Mach-O binaries (`a` and `installer`) written in C++ and Nim.
- **Development Language Choice:** Unusually leverages **Nim-compiled binaries** for macOS malware, offering technical advantages and obscurity to analysts.
- **Persistence:** A novel persistence mechanism using **SIGINT/SIGTERM signal handlers** to install persistence upon malware termination or system reboot.
- **Defense Evasion & Execution:** Extensive use of **AppleScripts** acting as lightweight beacons and backdoors. Employing a process injection technique uncommon for macOS malware.
- **Data Exfiltration:** Use of **Bash scripts** to exfiltrate sensitive data, including Keychain credentials, browser data, and Telegram user data.
- **Network Communication:** Utilizes **`wss` (TLS-encrypted WebSocket protocol)** for remote communications.
## Targeting
- **Sectors:** Web3 and Crypto-related businesses/platforms.
- **Geography:** Not explicitly detailed, but targets are global based on industry focus.
- **Victims:** Web3 startups and Crypto organizations (An April 2025 incident targeting a Web3 startup was cited).
## Tools & Infrastructure
- **Malware Families:** NimDoor (the collective term for the components), Nim-compiled binaries, C++ components.
- **Scripts:** AppleScript (`zoom_sdk_support.scpt`), Bash scripts.
- **Infrastructure (Domains - Defanged):**
- `support[.]us05web-zoom[.]forum`
- `support[.]us05web-zoom[.]pro`
- `support[.]us05web-zoom[.]cloud`
- `support[.]us06web-zoom[.]online`
- `dataupload[.]store`
- `firstfromsep[.]online`
- `safeup[.]store`
- `writeup[.]live`
- **File Paths:**
- `~/Library/Application Support/Google LLC/GoogIe LLC`
- `~/Library/LaunchAgents/com.google.update.plist`
- `~/Library/CoreKit/CoreKitAgent`
- `/private/var/tmp/uplex_//`
## Implications
This actor demonstrates an evolving sophistication, moving beyond traditional tooling to leverage modern programming languages like Nim and Crystal for macOS malware development. This approach forces security teams to broaden their expertise beyond typical C/C++/Objective-C analysis. The use of novel persistence mechanisms (signal handlers) and specialized communication protocols (`wss`) indicates a targeted, high-effort campaign against the lucrative cryptocurrency sector.
## Mitigations
- Increase scrutiny for files masquerading as platform updates (e.g., Zoom SDK) delivered via trusted channels (Telegram/Email).
- Improve detection capabilities to monitor for Nim-compiled binaries on endpoint detection and response (EDR) solutions.
- Investigate unusual process behavior related to signal handling (SIGINT/SIGTERM) that may indicate a novel persistence attempt upon process termination.
- Monitor for macOS system activity involving WebSocket connections (`wss`) originating from unexpected processes or locations.
- Specifically hunt for the documented file paths and binaries associated with NimDoor and its apparent loader/dropper components.