North Korea’s NimDoor Malware: A Sophisticated Threat to macOS and Web3 Security

A Silent Danger Targeting Cryptocurrency and Web3 Networks

A newly uncovered cyber threat has set off alarms in the cybersecurity community. North Korea–backed hackers are now using an advanced macOS malware framework called NimDoor, designed to compromise cryptocurrency firms and Web3 organizations. Unlike more traditional malware campaigns, this operation reveals a significant shift in sophistication, using obscure programming languages, deceptive social engineering, and rare persistence mechanisms that even evade standard termination signals.

Infiltrating systems through social channels like Telegram and hiding behind fake Zoom SDK updates sent via Calendly and email, NimDoor doesn’t just aim to spy—it evolves, reinstalls itself when terminated, and mimics legitimate applications to steal browser data, keys, scripts, and even Telegram chat history. The campaign’s fingerprints resemble tactics tied to BlueNoroff, a subgroup of the Lazarus Group, North Korea’s infamous hacking division.

SentinelOne’s research into the malware’s layered architecture reveals a masterclass in digital subterfuge, with backdoors and state machines embedded deep in macOS systems. The most alarming part: even killing the malware won’t stop it. It comes back, more persistent than before, signaling a dangerous trend in the evolution of nation-state cyber warfare.

Covert Infiltration: How NimDoor Operates

Researchers at SentinelOne have unveiled a new malware threat targeting macOS, called NimDoor, operated by North Korean state-sponsored actors. This threat campaign is highly advanced and directed at Web3 and cryptocurrency firms—prime targets due to the vast amounts of digital assets they handle. What makes NimDoor especially dangerous is its use of obscure techniques and custom-built mechanisms that grant it an exceptional degree of stealth and persistence.

The initial infection path starts through Telegram, where attackers lure victims into executing what appears to be a legitimate Zoom SDK update. This is cleverly delivered through Calendly links and email, building trust and bypassing early suspicion. Once opened, the malware—compiled using C++ and Nim, an unusual combination for macOS—begins its staged attack.

The ‘installer’ binary sets the stage, creating directories and dropping two key payloads: GoogIe LLC and CoreKitAgent. The former masquerades as a Google updater but is used for environment scanning and setting up persistent access through macOS’s LaunchAgent. It also saves authentication keys for use later in the malware’s lifecycle.

CoreKitAgent is the core of the attack, featuring a rare event-driven architecture powered by the kqueue mechanism on macOS. It works through a 10-case state machine that enables dynamic behavior based on live system conditions. But the malware’s standout feature is its signal-based persistence. When a user attempts to terminate it using typical system signals like SIGINT or SIGTERM, CoreKitAgent intercepts these and reinstalls itself, redeploying the entire infection stack.

This self-healing capability makes it exceptionally resilient to traditional security responses. It also executes encoded AppleScript payloads every 30 seconds to maintain communication with its command-and-control infrastructure. Meanwhile, another infection route launches via a script named zoom_sdk_support.scpt, packed with over 10,000 blank lines to evade detection and enhance obfuscation.

This loader initiates a parallel chain where additional payloads like trojan1_arm64, upl, and tlgrm are dropped. These modules exfiltrate sensitive data including Keychain credentials, browser histories, shell command logs, and even Telegram message histories. The malware uses tools like curl to upload stolen data to hidden servers.

NimDoor’s modularity allows it to adapt across platforms and attack vectors. SentinelOne’s report concludes that this malware is among the most sophisticated families seen on macOS and is a clear sign that North Korean hackers are expanding their reach and tooling.

What Undercode Say:

Rise of Cross-Platform Malware Signals New Era of Espionage

NimDoor represents more than just another malware discovery—it is a strategic warning about the growing capabilities of state-sponsored cyber adversaries. The use of macOS-specific tactics signals a shift in attack focus from Windows-dominant threats to full-spectrum, cross-platform campaigns. This change coincides with a broader movement within the threat landscape, where actors like North Korea are no longer targeting just financial institutions but are expanding into decentralized and crypto-driven ecosystems.

The entry via Telegram and Calendly suggests a tactical advantage. By leveraging platforms people use daily and trust, attackers bypass security filters and human skepticism. Social engineering remains one of the most effective tools in modern cyberattacks—not because it’s new, but because it’s simple and still works.

What stands out is the layered architecture of NimDoor. This isn’t a script-kiddie toolkit or some amateur’s virus. Each binary performs a designated role, from environment analysis and persistence setup to full-blown data theft and remote command execution. The 10-case state machine gives it a programmable intelligence rarely seen in typical malware. It adapts based on runtime scenarios, making static analysis and detection much more difficult.

Its signal-based persistence, meanwhile, is nothing short of groundbreaking. Most defensive strategies depend on identifying processes and terminating them. CoreKitAgent essentially says: “Kill me and I’ll come back stronger.” By hijacking termination signals to reinstall its components, it ensures continuity regardless of user intervention. This resilience reflects a deeper understanding of macOS internals and a level of craftsmanship that shows the hackers aren’t just trying—they’re winning.

Furthermore, the inclusion of over 10,000 blank lines in zoom_sdk_support.scpt to avoid code scanning is a reminder that evasion doesn’t always have to be complex. Sometimes, brute obfuscation is just as effective, especially against traditional detection tools.

The malware’s modular payloads, like upl and tlgrm, are specifically tailored for data extraction from web browsers, shell histories, and Telegram communications. This highlights the importance of operational security (OpSec) on both corporate and individual levels. Users often underestimate how much valuable information sits unprotected in these histories and messaging apps.

Ultimately, NimDoor is part of a larger geopolitical cyber agenda. North Korea’s interest in cryptocurrency isn’t just financial—it’s also strategic. Funds obtained through cyber theft often fund their sanctioned military and nuclear programs. The crypto world, with its weaker regulatory frameworks and decentralized nature, is a prime hunting ground for threat actors who want maximum payoff with minimal friction.

SentinelOne’s warning is clear: NimDoor isn’t a one-off threat—it’s a template. We should expect to see variations of this malware family in the future, possibly optimized for other systems or distributed through even more insidious channels.

🔍 Fact Checker Results:

✅ NimDoor is confirmed as a state-backed macOS malware linked to North Korean hackers
✅ Signal-based persistence is a rare but verified feature in the CoreKitAgent module
✅ The campaign uses legitimate tools like Calendly and Zoom SDK disguises for deception

📊 Prediction:

The emergence of NimDoor signals a major turning point in macOS-targeted cyber warfare. As cross-platform frameworks gain ground, expect North Korean operators to extend similar attacks to Linux and mobile platforms. Cryptocurrency firms and Web3 startups, especially those with poor internal OpSec, will remain prime targets in 2025 and beyond. 🔐💸🧠