North Korea-linked hackers use fake Zoom updates to spread macOS NimDoor malware, targeting crypto firms with stealthy backdoors.
North Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update.
Victims are tricked into installing the malware through phishing links sent via Calendly or Telegram. NimDoor is written in Nim, uses encrypted communications, and steals data like browser history and Keychain credentials. The malware can persist on systems, reinfect itself if killed, and mimics legitimate AppleScript tools to avoid detection.
“DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.” reads the analysis published by SentinelOne.
“Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol.”
In April 2025, a Web3 startup was targeted by a North Korea-linked APT group using social engineering and fake Zoom updates. Attackers employed the NimDoor malware, which is a rare mix of AppleScript, C++, and Nim—an unusual choice for macOS threats. Unlike typical campaigns, this variant included encrypted configs, async execution, and a unique signal-based persistence.
The attack chain in recent NimDoor attacks starts with fake Zoom invites via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt” with 10,000 lines of padding and a typo (“Zook”), hiding its true function. The script fetches a second-stage payload from lookalike domains like support.us05web-zoom[.]forum, mimicking real Zoom URLs. This launches the core malware, signaling a broader, targeted campaign with custom links per victim.
Threat actors dropped two Mach-O binaries (‘a' in C++, ‘installerì in Nim) to /tmp, triggering separate infection chains. a decrypted malware for data theft, including browser and Telegram data. installer ensured persistence with deceptive Nim binaries. Malware used rare macOS injection, complex encryption, and WebSocket C2 comms to exfiltrate system and user data.
“SentinelLABS’ analysis shows that this process is used to decrypt two embedded binaries. The first carries an ad hoc signature and the identifier Target. The second has an ad hoc signature with the identifier trojan1_arm64. The Target binary is benign and appears to do nothing other than generate random numbers.” continues the analysis. “This kind of process injection technique is rare in macOS malware and requires specific entitlements to be performed; in this case, the InjectWithDyldArm64 binary has the following entitlements to allow the injection:
- com.apple.security.cs.debugger
- com.apple.security.get-task-allow”
The two payloads maintain persistence by using signal handlers to catch SIGINT and SIGTERM termination signals and redeploy core malware components. These signals handle user or system attempts to terminate a process.
“SentinelLABS’ analysis of NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts. North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains.” concludes the report. “However, Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behaviour into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NimDoor)
