Malicious MacOS Software, NimDoor, Abuses Zoom SDK Update to Sneakily Obtain Keychain Passwords
A new and advanced macOS malware, named NimDoor, has emerged, targeting organizations within the Web3 and cryptocurrency sectors. This malware is attributed to North Korea-linked threat actors, possibly associated with the Stardust Chollima group [1].
### Operation and Social Engineering Tactics NimDoor initiates its infection through social engineering on Telegram, where attackers impersonate trusted contacts to lure victims into scheduling Zoom meetings via tools like Calendly [2]. Upon receiving an email with a malicious AppleScript disguised as a "Zoom SDK update," victims unknowingly execute the script, which silently installs the malware [4]. A minor typo in the script, changing "Zoom" to "Zook," served as a clue for researchers to identify the attack vector [1].
### Unique Utilization of Nim Language The malware deploys multiple components written in a combination of C++, Nim, and AppleScript. The Nim-compiled binaries include:
- The 'installer' handles the initial setup, prepares directories and configuration paths, and drops other payload binaries [3]. - 'GoogIe LLC' (intentionally misspelled with a capital “I” to mimic legitimate processes) collects environment data, generates hex-encoded configuration files, and installs a LaunchAgent plist ("com.google.update.plist") for persistence to automatically execute at system startup [1][3][5]. - 'CoreKitAgent' serves as the main payload, acting as an event-driven binary using macOS's kqueue mechanism. It features a sophisticated 10-case state machine controlling its runtime behavior and implements novel signal handlers for SIGINT and SIGTERM, allowing the malware to intercept termination signals and trigger its reinstallation [1][3].
### Persistence Mechanisms Persistence is primarily maintained through the com.google.update.plist LaunchAgent file, which relaunches parts of NimDoor at login, and the innovative signal-based persistence where the malware catches termination signals (SIGINT, SIGTERM) to reinstall itself if stopped or on system reboot, ensuring resilience against removal [1][3].
### Data Exfiltration Capabilities Once established, NimDoor executes embedded Bash scripts to systematically steal sensitive data, including credentials from the macOS iCloud Keychain, browsing data from popular browsers like Google Chrome, Firefox, Brave, Arc, and Microsoft Edge, and user data from Telegram databases, including wallet addresses and session information [1]. Communication with its command-and-control (C2) servers takes place over TLS-encrypted WebSocket (wss) channels, with the malware sending a hex-encoded AppleScript beacon every 30 seconds [1].
In summary, NimDoor is a highly sophisticated, multi-language, persistent malware threat that targets valuable cryptocurrency-related assets on macOS, employing both technical innovation and strategic social engineering to maintain stealth and maximize data theft [1][2][3][4].
**References:** [1] PolySwarm, 2025. "NimDoor: A New macOS Malware Targeting Web3 and Cryptocurrency Organizations." [online] Available at: [2] Cybersecurity Insiders, 2025. "NimDoor: North Korea-Linked MacOS Malware Targets Cryptocurrency Organizations." [online] Available at: [3] The Hacker News, 2025. "NimDoor: macOS Malware Using Nim Programming Language, North Korea Links." [online] Available at:
- The advanced NimDoor malware, targeting Web3 and cryptocurrency sectors, demonstrates a unique utilization of data-and-cloud-computing technology and technology, particularly by deploying components written in Nim language and utilizing AppleScript, making it a sophisticated threat in the realm of cybersecurity.
- With its persistent mechanisms and innovative signal-handling capabilities, NimDoor poses a significant risk for organizations dealing with data exfiltration, such as valuable cryptocurrency assets, showcasing the potential threats that cybersecurity needs to address in the realm of data-and-cloud-computing.
