NimDoor MacOS Malware Abuses Zoom SDK Updates to Steal Keychain Credentials

SentinelOne researchers have discovered NimDoor, a sophisticated MacOS malware campaign ascribed to North Korean-affiliated attackers, most likely the Stardust Chollima gang, in a notable increase in cyber threats targeting the bitcoin industry.

Active since at least April 2025, NimDoor exploits social engineering tactics by masquerading as Zoom SDK updates to infiltrate Web3 and crypto organizations, ultimately aiming to exfiltrate sensitive data such as Keychain credentials, browser histories, and Telegram user information.

Target Web3 and Crypto Organizations

The malware’s name derives from its heavy reliance on Nim-compiled binaries, a rare choice for MacOS threats that leverages the language’s compile-time execution to interleave developer and runtime code, thereby obfuscating static analysis and evading detection.

According to Polyswarm Report, this approach builds on North Korean actors’ prior experiments with languages like Go and Rust, marking an evolution in their offensive capabilities against high-value targets.

The infection chain begins with attackers impersonating trusted contacts via Telegram, luring victims into scheduling Zoom meetings through Calendly.

Victims then receive phishing emails containing a malicious AppleScript disguised as a “Zoom SDK update,” identifiable by a subtle typo (“Zook” instead of “Zoom”) in its comments.

Upon execution, the script deploys two Mach-O binaries: a C++-based component for decrypting and executing payloads focused on data theft, and a Nim-compiled “installer” that plants persistence mechanisms.

These include masquerading as legitimate processes like “GoogIe LLC” (intentionally misspelled) and “CoreKitAgent,” configured via a LaunchAgent plist file to ensure automatic execution on system startup.

Advanced Use of Nim Language

NimDoor’s technical sophistication extends to process injection a technique uncommon on MacOS enabling it to hijack legitimate processes for stealthy operations.

Command-and-control (C2) communications occur over TLS-encrypted WebSocket (wss) channels, with a hex-encoded AppleScript beaconing every 30 seconds to hardcoded C2 servers.

This backdoor functionality allows remote script execution and exfiltration of running process lists, facilitating lateral movement and reconnaissance.

A particularly novel feature is its SIGINT/SIGTERM signal handler, which intercepts termination signals to trigger reinstallation of the malware upon closure or reboot, representing a first-of-its-kind persistence method on MacOS platforms.

Embedded Bash scripts further enhance NimDoor’s data theft capabilities, systematically extracting credentials from the macOS Keychain, browsing data from popular applications including Chrome, Firefox, Brave, Arc, and Edge, as well as Telegram databases containing wallet addresses and session details.

Attackers incorporate distractions, such as scheduling legitimate Zoom calls, to lower victim suspicion during the compromise.

This blend of social engineering and advanced malware engineering underscores Stardust Chollima’s (also known as TA444, APT38, or BlueNoroff) modus operandi.

As a subunit of the Lazarus Group under North Korea’s Reconnaissance General Bureau, the group has been active since 2014, focusing on financial gains through cryptocurrency theft to circumvent sanctions.

Their tactics often involve spear-phishing, deepfakes, and vulnerability exploitation, targeting entities in the US, Europe, and Asia, particularly in South Korea and Japan.

The emergence of NimDoor highlights the growing threat to MacOS ecosystems in the crypto domain, urging organizations to implement robust endpoint detection, scrutinize third-party updates, and monitor for anomalous signal handling or WebSocket traffic.

Analysts recommend vigilance against impersonation on platforms like Telegram and verification of software sources to mitigate such targeted attacks.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.