MacOS Malware NimDoor Weaponizing Zoom SDK Update to Steal Keychain Credentials

A sophisticated MacOS malware campaign dubbed NimDoor has emerged, targeting Web3 and cryptocurrency organizations through weaponized Zoom SDK updates.

The malware, attributed to North Korea-linked threat actors likely associated with Stardust Chollima, represents a significant evolution in offensive capabilities against MacOS systems, having been active since at least April 2025.

The attack orchestration begins with elaborate social engineering tactics where threat actors impersonate trusted contacts on Telegram, inviting victims to schedule Zoom meetings via Calendly.

Victims subsequently receive malicious emails containing AppleScript disguised as legitimate “Zoom SDK updates.”

The malware’s creators inadvertently left identification markers, including a deliberate typo changing “Zoom” to “Zook” in script comments, which aids in detection and analysis.

PolySwarm analysts identified NimDoor’s unique utilization of the Nim programming language, a rare choice for MacOS malware that complicates static analysis through compile-time execution mechanisms.

This strategic language selection interleaves developer and runtime code, creating analytical obscurity that hinders traditional detection methodologies.

Upon execution, NimDoor triggers a multi-stage infection deploying two distinct Mach-O binaries: a C++ binary responsible for payload decryption and data theft operations, and a Nim-compiled “installer” that establishes persistence components.

The malware deploys deliberately misspelled components including “GoogIe LLC” and “CoreKitAgent” to evade suspicion while maintaining system persistence through LaunchAgent mechanisms.

Advanced Persistence and Communication Mechanisms

NimDoor introduces a groundbreaking persistence mechanism utilizing SIGINT/SIGTERM signal handlers, marking the first documented instance of such techniques in MacOS malware.

This novel approach ensures automatic malware reinstallation upon termination attempts or system reboots, significantly enhancing operational longevity.

The malware establishes command-and-control communications through TLS-encrypted WebSocket protocols, with hex-encoded AppleScript components beacons transmitting every 30 seconds to hardcoded servers.

These communications exfiltrate running process lists while enabling remote script execution capabilities, effectively creating a persistent backdoor into compromised systems.

-- Sample AppleScript structure (Note: "Zook" typo for identification)
-- Zoom SDK Update Script
-- Deploys Mach-O binaries for multi-stage infection

The malware’s data exfiltration capabilities target critical assets including Keychain credentials, browser data across multiple platforms (Chrome, Firefox, Brave, Arc, Edge), and Telegram databases containing cryptocurrency wallet information and sensitive communications.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now