Listen to this Post
Introduction: A Sophisticated Cyber Threat in Disguise
A new wave of cyberattacks has been uncovered, targeting the heart of the Web3 and cryptocurrency industry. This time, the perpetrators are believed to be state-sponsored actors from North Korea, deploying a highly unusual piece of malware known as NimDoor. Crafted to exploit macOS systems, NimDoor is disguised as a fake Zoom update and uses complex multi-stage techniques, encrypted communications, and rare programming tactics to evade detection. This campaign reveals the increasing sophistication of adversaries and signals an urgent call for enhanced cybersecurity across the crypto ecosystemâespecially for companies relying on macOS environments.
the Original Report
North Korean-linked threat actors are using a stealthy macOS backdoor named NimDoor to infiltrate Web3 and crypto companies. This malware is uniquely written in Nim, a relatively obscure language in cybercrime circles, making it harder to detect and analyze. Disguised as a legitimate Zoom update, the malware reaches its victims through phishing links sent via Telegram or Calendly.
Once executed, NimDoor steals sensitive data such as browser history and Apple Keychain credentials, and establishes persistence on the infected device. It can even reinfect itself if terminated, and cleverly mimics legitimate AppleScript tools to avoid suspicion.
The malicious campaign has a distinctive delivery mechanism: it starts with fake Zoom invites sent over trusted platforms. Victims receive a script titled zoom_sdk_support.scpt, padded with junk lines and even a typo (“Zook”) to evade casual scrutiny. This script contacts lookalike Zoom URLs (e.g., support.us05web-zoom[.]forum) to retrieve the second-stage payload, which contains the core malware.
Two main binaries are dropped during the infection:
One (`a`, written in C++) for data theft
One (`installerĂŹ`, written in Nim) for persistence
Both binaries are encrypted and use TLS-encrypted WebSockets (wss) for Command & Control (C2) communications. The malware also employs process injection, a rare technique in macOS malware, requiring specific entitlements.
The binaries are stealthy and signed with ad hoc identifiers (Target, trojan1_arm64). The malware uses signal handlers (SIGINT, SIGTERM) to survive system or user attempts at removal. SentinelLABS analysts highlight NimDoor’s ability to blend Nim runtime code with custom developer logic, further complicating reverse engineering.
This attack is yet another example of North Koreaâs growing cyber arsenal, following earlier campaigns using Go and Rust to attack digital asset ecosystems. The use of Nim marks an escalation in both technical sophistication and stealth.
What Undercode Say:
The emergence of NimDoor signals a pivotal evolution in the threat landscape, especially for macOS environments, which are traditionally seen as more secure and less frequently targeted. Here’s why this particular malware campaign is noteworthyâand deeply concerning:
1. Weaponizing Nim: A Strategic Move
Nim, as a programming language, isnât commonly seen in malware development. Its low prevalence gives attackers a stealth advantage. Traditional antivirus and behavioral detection systems are often optimized for threats coded in more mainstream languages like Python, C++, or Java. NimDoorâs use of Nim makes it an analytical nightmare for researchers and a detection evasion tool for attackers.
2. Targeting the Heart of Web3
This
3. Multi-Vector Social Engineering
Using Calendly and Telegram for phishing demonstrates a shrewd understanding of current business workflows. These are platforms widely trusted in startup environments for scheduling and communication, making the attack more believable. The attackers’ use of custom Zoom lookalike domains adds another layer of deception, ensuring the malware appears legitimate to an untrained eye.
4. Advanced macOS Techniques
macOS has traditionally enjoyed a reputation for being secure, but this campaign exposes cracks in that narrative. Rarely do we see process injection, WSS comms, and binary-level signal handling combined into a single macOS malware. This is not an amateur jobâitâs a well-funded, state-backed operation.
5. Resilience and Reinfection
The ability to reinitiate itself upon termination (via SIGINT and SIGTERM catching) adds durability to the infection. This kind of self-healing malware is particularly dangerous because even if detected and stopped, it may quietly reestablish its foothold.
6. Cryptocurrency = National Revenue
For North Korea, cyberattacks arenât just intelligence operationsâtheyâre economic strategy. Crypto theft helps fund weapons programs and sustain the regime under global sanctions. By targeting Web3 startups, which are often under-secured and flush with digital assets, these hackers are directly attacking a new frontier of decentralized finance.
7. Cross-Language, Cross-Platform Complexity
By blending Nim with C++ and AppleScript, the attackers make reverse-engineering a laborious process. It’s also clear they are experimenting with multi-stage payloads and novel code obfuscation techniquesâperhaps preparing for even broader attacks.
8. The Bigger Picture
This campaign illustrates how cybersecurity is no longer a concern just for big tech firms. Every crypto startup is now a potential target. With cyber warfare strategies evolving, even small companies must now adopt enterprise-grade security protocols, incident response plans, and regular threat assessments.
đ Fact Checker Results:
â
NimDoor is written in Nim and uses encrypted WebSocket C2 channels â Verified by SentinelLABS.
â
The malware is distributed via fake Zoom invites and phishing on Calendly/Telegram â Confirmed.
â
Uses process injection on macOS, an uncommon but powerful persistence method â Technically accurate.
đ Prediction:
Expect an uptick in Nim-based malware over the next 12â18 months, especially targeting macOS users in finance, crypto, and tech startups. Given Nimâs stealth benefits and macOSâs growing use in the enterprise sector, attackers will likely double down on this combination. Defenders should begin integrating Nim-language detection rules and closely monitor apps communicating over wss.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
