Insights, news, education and announcements from PolySwarm

NimDoor MacOS Malware

Written by The Hivemind | Jul 14, 2025 6:34:09 PM

Verticals Targeted: Cryptocurrency
Regions Targeted: Not Specified
Related Families: None

Executive Summary

NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.

Key Takeaways

  • NimDoor leverages the Nim programming language, rare for MacOS, to evade detection through complex compile-time execution.
  • Attackers impersonate trusted contacts via Telegram, luring victims with fake Zoom SDK update scripts.
  • A novel SIGINT/SIGTERM signal handler ensures persistence, reinstalling malware upon termination or reboot.
  • Bash scripts steal Keychain credentials, browser data, and Telegram user information.

What is NimDoor?

SentinelOne identified NimDoor , a MacOS malware campaign by North Korea-affiliated threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. The malware has been active since at least April 2025. NimDoor, named for its Nim-compiled binaries, represents an evolution in North Korea’s offensive toolkit, blending social engineering with advanced technical tactics to compromise high-value targets.

The attack begins with social engineering, where attackers impersonate trusted contacts on Telegram, inviting victims to schedule Zoom meetings via Calendly. Victims receive an email with a malicious AppleScript disguised as a “Zoom SDK update.” A typo in the script’s comment (“Zook” instead of “Zoom”) aids its identification. Execution triggers a multi-stage infection, deploying two Mach-O binaries: a C++ binary and a Nim-compiled “installer.” The C++ binary decrypts payloads for data theft, while the installer deploys “GoogIe LLC” (misspelled to evade suspicion) and “CoreKitAgent,” ensuring persistence via a LaunchAgent.

NimDoor’s use of Nim, a cross-platform language, complicates analysis due to its compile-time execution, interleaving developer and runtime code. This obscurity hinders static analysis, a tactic North Korean threat actors previously explored with Go and Rust. The malware employs process injection, rare on MacOS, and communicates via TLS-encrypted WebSocket (wss) for stealthy command-and-control (C2). A hex-encoded AppleScript beacons every 30 seconds to one of two hardcoded C2 servers, exfiltrating running process lists and executing remote scripts as a backdoor.

A novel persistence mechanism leverages SIGINT/SIGTERM signal handlers, reinstalling NimDoor if terminated or upon system reboot, a first for MacOS malware. Bash scripts exfiltrate Keychain credentials, browser data (Chrome, Firefox, Brave, Arc, Edge), and Telegram databases, targeting cryptocurrency wallets and sensitive information. The attack’s sophistication, including distraction via legitimate Zoom meetings, underscores its targeted nature. NimDoor’s emergence signals North Korean threat actors' focus on MacOS in the crypto sector, demanding heightened vigilance from analysts and executives.

Who is Stardust Chollima

Stardust Chollima, also known as TA444, APT38, and BlueNoroff, is a North Korea nexus threat actor group active since at least 2014. The group is widely attributed to North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency. They operate as a financially motivated subunit of the Lazarus Group, conducting cyber operations to fund the North Korean regime, often bypassing international sanctions through cryptocurrency theft. Their activities align with state-directed goals of generating revenue and gathering intelligence.  

Stardust Chollima employs sophisticated social engineering, including spear-phishing emails with malicious attachments or links to compromise victims. The group uses deepfake technology, such as impersonating executives in fake Zoom meetings, to trick employees into installing malicious software. They deploy custom malware, often disguised as legitimate applications like Zoom extensions, to gain initial access and maintain persistence. Stardust Chollima conducts extensive reconnaissance to tailor attacks, leveraging open-source and commercial tools for command-and-control and data exfiltration. They also exploit vulnerabilities in software to escalate privileges and move laterally within networks.  

Stardust Chollima primarily targets cryptocurrency firms, financial institutions, and technology companies, with a focus on organizations in the United States, Europe, and Asia, particularly South Korea and Japan. The group seeks high-value targets for financial gain, such as crypto exchanges and blockchain-related entities.  

IOCs

PolySwarm has multiple samples of NimDoor.

 

bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc

0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df

9c48e2a01d852e08f923a4638ef391b6f89f263558cf2164bf1630c8320798c1

e6a7c54c01227adcb2a180e62f0082de1c13d61ae913cda379dd0f44a0d0567b

64c9347d794243be26e811b5eb90fb11c8e74e8aff504bf98481e5ccf9d72fe9

469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f

41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f

69a012ff46565169534ccefb175f87b3cc331b4f94cc5d223c29a036ed771f4e

74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a

ea8a58bbb6d5614855a470b2d3630197e34fc372760b2b7fa27af8f3456525a6

7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb

 

You can use the following CLI command to search for all NimDoor samples in our portal:

$ polyswarm link list -f NimDoor

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post