North Korean state-sponsored hackers have rolled out a new macOS malware strain dubbed NimDoor, designed to infiltrate Web3 and cryptocurrency organizations.

According to a fresh analysis by SentinelOne researchers, the attackers leveraged uncommon methods and an innovative signal-based persistence mechanism never observed before.

The attack chain starts with threat actors reaching out to potential victims through Telegram, persuading them to execute a bogus Zoom SDK update distributed via Calendly invitations and email—an approach reminiscent of tactics recently attributed to BlueNoroff by the managed security provider Huntress.

SentinelOne’s report notes that the adversaries used a mix of C++ and Nim-compiled binaries (collectively referred to as NimDoor) on macOS—"a more unusual choice."

One of these binaries, named 'installer,' handles the initial setup by preparing directories and configuration paths. It then deploys two additional components—'GoogIe LLC' and 'CoreKitAgent'—onto compromised systems. GoogIe LLC focuses on harvesting environment details and generating a hex-encoded configuration file, which is saved in a temporary directory. It also sets up a macOS LaunchAgent (com.google.update.plist) to ensure the malware runs automatically at login and retains authentication keys for future use.

The most advanced piece of the toolkit is CoreKitAgent, the primary payload of NimDoor. This event-driven binary leverages macOS’s kqueue mechanism for asynchronous execution and implements a 10-state machine with a hardcoded transition table, enabling dynamic control depending on runtime conditions.

A particularly distinctive characteristic is CoreKitAgent’s signal-based persistence, which relies on custom handlers for SIGINT and SIGTERM—signals typically used to terminate processes. "When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan, setting executable permissions on the latter two via the addExecutionPermissions_user95startup95mainZutils_u32 function," SentinelLABS explains.

"This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."

Once active, CoreKitAgent decodes and executes a hex-encoded AppleScript that connects to command-and-control servers every 30 seconds, exfiltrates system information, and executes remote commands via osascript, effectively acting as a stealth backdoor.

Alongside the main NimDoor infection, a parallel chain initiated by 'zoom_sdk_support.scpt' deploys 'trojan1_arm64', which establishes WebSocket Secure (WSS)-based communications with attacker infrastructure. It downloads two additional scripts—upl and tlgrm—to facilitate data theft. Notably, researchers discovered that the loader script contains over 10,000 blank lines to hinder detection.

Upl focuses on extracting browser data, Keychain credentials, and shell history files (.bash_history and .zsh_history), transmitting the stolen information to dataupload[.]store via curl. Meanwhile, tlgrm targets Telegram data, including .tempkeyEncrypted files, likely to decrypt private messages exchanged on the platform.

Overall, SentinelLABS describes NimDoor and its associated payloads as among the most complex macOS malware attributed to North Korean threat actors so far. The framework’s modular architecture and the use of novel persistence techniques underscore how DPRK operators are continuously refining their cross-platform attack capabilities to breach cryptocurrency ecosystems and steal sensitive information.

SentinelLABS’ comprehensive report provides detailed indicators of compromise, including malicious domains, file paths, scripts, and binaries linked to these intrusions.