Skip to main content

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Medium
Published: Fri Jul 04 2025 (07/04/2025, 09:39:26 UTC)
Source: AlienVault OTX General

Description

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.

AI-Powered Analysis

AILast updated: 07/04/2025, 10:09:42 UTC

Technical Analysis

The macOS NimDoor malware represents a sophisticated threat attributed to North Korean (DPRK) threat actors targeting Web3 and cryptocurrency-related businesses. This malware is notable for its use of Nim-compiled binaries, which complicates analysis due to Nim's less common use and its ability to produce binaries with obfuscated control flow. NimDoor employs advanced techniques uncommon in macOS malware, including process injection to stealthily execute code within legitimate processes, and encrypted WebSocket communications to securely exfiltrate data and maintain command and control (C2) channels. The malware also uses a novel persistence mechanism leveraging signal handlers, which is an uncommon method to maintain foothold on infected systems. Additionally, NimDoor deploys AppleScripts acting as beacons and backdoors, enabling further control and data exfiltration. The infection chain begins with social engineering via Telegram, where victims are lured into executing malicious scripts and binaries. Once active, NimDoor targets sensitive data including browser data, macOS Keychain credentials, and Telegram user information, enabling attackers to harvest authentication tokens, private keys, and other credentials critical for Web3 and crypto platforms. The combination of these techniques reflects a highly targeted campaign aimed at compromising the confidentiality and integrity of cryptocurrency assets and related infrastructure on macOS systems. The use of Nim as a development language and the complex multi-stage attack chain indicate a high level of sophistication and intent to evade detection and analysis.

Potential Impact

For European organizations involved in Web3, cryptocurrency trading, blockchain development, or crypto asset management, NimDoor poses a significant risk. The malware’s ability to exfiltrate Keychain credentials and browser data threatens the confidentiality of private keys and authentication tokens, potentially leading to unauthorized access to crypto wallets and platforms. This could result in direct financial losses, reputational damage, and regulatory scrutiny under GDPR due to the exposure of personal data. The persistence and stealth techniques increase the likelihood of prolonged undetected presence, enabling attackers to conduct extended espionage or asset theft. Given the increasing adoption of macOS devices in European tech sectors and the growing crypto economy, this threat could disrupt operations and erode trust in digital asset security. Furthermore, the targeting of Telegram user information may compromise communication confidentiality, impacting collaboration and incident response capabilities. The medium severity rating reflects the targeted nature and complexity, but the potential financial and operational impact on European crypto businesses is substantial.

Mitigation Recommendations

European organizations should implement targeted defenses beyond generic advice: 1) Enhance endpoint detection and response (EDR) solutions to specifically detect Nim-compiled binaries and monitor for unusual process injection and signal handler usage on macOS. 2) Deploy network monitoring to identify and decrypt suspicious WebSocket traffic patterns, especially encrypted communications to unknown external endpoints. 3) Restrict and monitor AppleScript execution, particularly scripts initiated from untrusted sources or Telegram-related processes. 4) Conduct user awareness training focused on social engineering via Telegram and other messaging platforms, emphasizing the risks of executing unsolicited scripts or binaries. 5) Enforce strict application whitelisting and macOS system integrity protections to prevent unauthorized persistence mechanisms. 6) Regularly audit and secure macOS Keychain access policies and browser credential storage. 7) Implement multi-factor authentication (MFA) on all crypto platforms and wallets to mitigate credential theft impact. 8) Maintain up-to-date threat intelligence feeds to detect emerging NimDoor variants and related TTPs. 9) Establish incident response plans tailored to macOS and crypto platform compromises, including forensic capabilities to analyze Nim binaries.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware"]
Adversary
DPRK
Pulse Id
6867a14ec736faf23ba172a2
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash13c07ccb4117bfba9921e45c39b10339
hash023a15ac687e2d2e187d03e9976a89ef5f6c1617
hash027d4020f2dd1eb473636bc112a84f0a90b6651c
hash0602a5b8f089f957eeda51f81ac0f9ad4e336b87
hash06566eabf54caafe36ebe94430d392b9cf3426ba
hash08af4c21cd0a165695c756b6fda37016197b01e7
hash16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59
hash1a5392102d57e9ea4dd33d3b7181d66b4d08d01d
hash1e76f497051829fa804e72b9d14f44da5a531df8
hash2c0177b302c4643c49dd7016530a4749298d964c
hash2d746dda85805c79b5f6ea376f97d9b2f547da5d
hash2ed2edec8ccc44292410042c730c190027b87930
hash3168e996cb20bd7b4208d0864e962a4b70c5a0e7
hash4743d5202dbe565721d75f7fb1eca43266a652d4
hash5b16e9d6e92be2124ba496bf82d38fb35681c7ad
hash79f37e0b728de2c5a4bfe8fcf292941d54e121b8
hash7c04225a62b953e1268653f637b569a3b2eb06f8
hash945fcd3e08854a081c04c06eeb95ad6e0d9cdc19
hasha25c06e8545666d6d2a88c8da300cf3383149d5a
hashbb72ca0e19a95c48a9ee4fd658958a0ae2af44b6
hashc9540dee9bdb28894332c5a74f696b4f94e4680c
hashe227e2e4a6ffb7280dfe7618be20514823d3e4f5
hashee3795f6418fc0cacbe884a8eb803498c2b5776f
hash469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f

Domain

ValueDescriptionCopy
domaindataupload.store
domainfirstfromsep.online
domainsafeup.store
domainwriteup.live
domainsupport.us05web-zoom.cloud
domainsupport.us05web-zoom.forum
domainsupport.us05web-zoom.pro
domainsupport.us06web-zoom.online

Threat ID: 6867a4e46f40f0eb729fc14a

Added to database: 7/4/2025, 9:54:44 AM

Last enriched: 7/4/2025, 10:09:42 AM

Last updated: 7/4/2025, 10:21:50 PM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats