NimDoor MacOS Malware

NIMDOOR Verticals Targeted: Cryptocurrency
Regions Targeted: Not Specified
Related Families: None

Executive Summary

NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.

Key Takeaways

NimDoor leverages the Nim programming language, rare for MacOS, to evade detection through complex compile-time execution.
Attackers impersonate trusted contacts via Telegram, luring victims with fake Zoom SDK update scripts.
A novel SIGINT/SIGTERM signal handler ensures persistence, reinstalling malware upon termination or reboot.
Bash scripts steal Keychain credentials, browser data, and Telegram user information.

What is NimDoor?

SentinelOne identified NimDoor , a MacOS malware campaign by North Korea-affiliated threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. The malware has been active since at least April 2025. NimDoor, named for its Nim-compiled binaries, represents an evolution in North Korea’s offensive toolkit, blending social engineering with advanced technical tactics to compromise high-value targets.

The attack begins with social engineering, where attackers impersonate trusted contacts on Telegram, inviting victims to schedule Zoom meetings via Calendly. Victims receive an email with a malicious AppleScript disguised as a “Zoom SDK update.” A typo in the script’s comment (“Zook” instead of “Zoom”) aids its identification. Execution triggers a multi-stage infection, deploying two Mach-O binaries: a C++ binary and a Nim-compiled “installer.” The C++ binary decrypts payloads for data theft, while the installer deploys “GoogIe LLC” (misspelled to evade suspicion) and “CoreKitAgent,” ensuring persistence via a LaunchAgent.

NimDoor’s use of Nim, a cross-platform language, complicates analysis due to its compile-time execution, interleaving developer and runtime code. This obscurity hinders static analysis, a tactic North Korean threat actors previously explored with Go and Rust. The malware employs process injection, rare on MacOS, and communicates via TLS-encrypted WebSocket (wss) for stealthy command-and-control (C2). A hex-encoded AppleScript beacons every 30 seconds to one of two hardcoded C2 servers, exfiltrating running process lists and executing remote scripts as a backdoor.

A novel persistence mechanism leverages SIGINT/SIGTERM signal handlers, reinstalling NimDoor if terminated or upon system reboot, a first for MacOS malware. Bash scripts exfiltrate Keychain credentials, browser data (Chrome, Firefox, Brave, Arc, Edge), and Telegram databases, targeting cryptocurrency wallets and sensitive information. The attack’s sophistication, including distraction via legitimate Zoom meetings, underscores its targeted nature. NimDoor’s emergence signals North Korean threat actors' focus on MacOS in the crypto sector, demanding heightened vigilance from analysts and executives.

Who is Stardust Chollima

Stardust Chollima, also known as TA444, APT38, and BlueNoroff, is a North Korea nexus threat actor group active since at least 2014. The group is widely attributed to North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency. They operate as a financially motivated subunit of the Lazarus Group, conducting cyber operations to fund the North Korean regime, often bypassing international sanctions through cryptocurrency theft. Their activities align with state-directed goals of generating revenue and gathering intelligence.

Stardust Chollima employs sophisticated social engineering, including spear-phishing emails with malicious attachments or links to compromise victims. The group uses deepfake technology, such as impersonating executives in fake Zoom meetings, to trick employees into installing malicious software. They deploy custom malware, often disguised as legitimate applications like Zoom extensions, to gain initial access and maintain persistence. Stardust Chollima conducts extensive reconnaissance to tailor attacks, leveraging open-source and commercial tools for command-and-control and data exfiltration. They also exploit vulnerabilities in software to escalate privileges and move laterally within networks.

Stardust Chollima primarily targets cryptocurrency firms, financial institutions, and technology companies, with a focus on organizations in the United States, Europe, and Asia, particularly South Korea and Japan. The group seeks high-value targets for financial gain, such as crypto exchanges and blockchain-related entities.