macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.
AI Analysis
Technical Summary
The macOS NimDoor malware represents a sophisticated threat attributed to North Korean (DPRK) threat actors targeting Web3 and cryptocurrency-related businesses. This malware is notable for its use of Nim-compiled binaries, which complicates analysis due to Nim's less common use and its ability to produce binaries with obfuscated control flow. NimDoor employs advanced techniques uncommon in macOS malware, including process injection to stealthily execute code within legitimate processes, and encrypted WebSocket communications to securely exfiltrate data and maintain command and control (C2) channels. The malware also uses a novel persistence mechanism leveraging signal handlers, which is an uncommon method to maintain foothold on infected systems. Additionally, NimDoor deploys AppleScripts acting as beacons and backdoors, enabling further control and data exfiltration. The infection chain begins with social engineering via Telegram, where victims are lured into executing malicious scripts and binaries. Once active, NimDoor targets sensitive data including browser data, macOS Keychain credentials, and Telegram user information, enabling attackers to harvest authentication tokens, private keys, and other credentials critical for Web3 and crypto platforms. The combination of these techniques reflects a highly targeted campaign aimed at compromising the confidentiality and integrity of cryptocurrency assets and related infrastructure on macOS systems. The use of Nim as a development language and the complex multi-stage attack chain indicate a high level of sophistication and intent to evade detection and analysis.
Potential Impact
For European organizations involved in Web3, cryptocurrency trading, blockchain development, or crypto asset management, NimDoor poses a significant risk. The malware’s ability to exfiltrate Keychain credentials and browser data threatens the confidentiality of private keys and authentication tokens, potentially leading to unauthorized access to crypto wallets and platforms. This could result in direct financial losses, reputational damage, and regulatory scrutiny under GDPR due to the exposure of personal data. The persistence and stealth techniques increase the likelihood of prolonged undetected presence, enabling attackers to conduct extended espionage or asset theft. Given the increasing adoption of macOS devices in European tech sectors and the growing crypto economy, this threat could disrupt operations and erode trust in digital asset security. Furthermore, the targeting of Telegram user information may compromise communication confidentiality, impacting collaboration and incident response capabilities. The medium severity rating reflects the targeted nature and complexity, but the potential financial and operational impact on European crypto businesses is substantial.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice: 1) Enhance endpoint detection and response (EDR) solutions to specifically detect Nim-compiled binaries and monitor for unusual process injection and signal handler usage on macOS. 2) Deploy network monitoring to identify and decrypt suspicious WebSocket traffic patterns, especially encrypted communications to unknown external endpoints. 3) Restrict and monitor AppleScript execution, particularly scripts initiated from untrusted sources or Telegram-related processes. 4) Conduct user awareness training focused on social engineering via Telegram and other messaging platforms, emphasizing the risks of executing unsolicited scripts or binaries. 5) Enforce strict application whitelisting and macOS system integrity protections to prevent unauthorized persistence mechanisms. 6) Regularly audit and secure macOS Keychain access policies and browser credential storage. 7) Implement multi-factor authentication (MFA) on all crypto platforms and wallets to mitigate credential theft impact. 8) Maintain up-to-date threat intelligence feeds to detect emerging NimDoor variants and related TTPs. 9) Establish incident response plans tailored to macOS and crypto platform compromises, including forensic capabilities to analyze Nim binaries.
Affected Countries
Germany, United Kingdom, France, Netherlands, Switzerland, Estonia
Indicators of Compromise
- hash: 13c07ccb4117bfba9921e45c39b10339
- hash: 023a15ac687e2d2e187d03e9976a89ef5f6c1617
- hash: 027d4020f2dd1eb473636bc112a84f0a90b6651c
- hash: 0602a5b8f089f957eeda51f81ac0f9ad4e336b87
- hash: 06566eabf54caafe36ebe94430d392b9cf3426ba
- hash: 08af4c21cd0a165695c756b6fda37016197b01e7
- hash: 16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59
- hash: 1a5392102d57e9ea4dd33d3b7181d66b4d08d01d
- hash: 1e76f497051829fa804e72b9d14f44da5a531df8
- hash: 2c0177b302c4643c49dd7016530a4749298d964c
- hash: 2d746dda85805c79b5f6ea376f97d9b2f547da5d
- hash: 2ed2edec8ccc44292410042c730c190027b87930
- hash: 3168e996cb20bd7b4208d0864e962a4b70c5a0e7
- hash: 4743d5202dbe565721d75f7fb1eca43266a652d4
- hash: 5b16e9d6e92be2124ba496bf82d38fb35681c7ad
- hash: 79f37e0b728de2c5a4bfe8fcf292941d54e121b8
- hash: 7c04225a62b953e1268653f637b569a3b2eb06f8
- hash: 945fcd3e08854a081c04c06eeb95ad6e0d9cdc19
- hash: a25c06e8545666d6d2a88c8da300cf3383149d5a
- hash: bb72ca0e19a95c48a9ee4fd658958a0ae2af44b6
- hash: c9540dee9bdb28894332c5a74f696b4f94e4680c
- hash: e227e2e4a6ffb7280dfe7618be20514823d3e4f5
- hash: ee3795f6418fc0cacbe884a8eb803498c2b5776f
- hash: 469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
- domain: dataupload.store
- domain: firstfromsep.online
- domain: safeup.store
- domain: writeup.live
- domain: support.us05web-zoom.cloud
- domain: support.us05web-zoom.forum
- domain: support.us05web-zoom.pro
- domain: support.us06web-zoom.online
macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
Description
DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.
AI-Powered Analysis
Technical Analysis
The macOS NimDoor malware represents a sophisticated threat attributed to North Korean (DPRK) threat actors targeting Web3 and cryptocurrency-related businesses. This malware is notable for its use of Nim-compiled binaries, which complicates analysis due to Nim's less common use and its ability to produce binaries with obfuscated control flow. NimDoor employs advanced techniques uncommon in macOS malware, including process injection to stealthily execute code within legitimate processes, and encrypted WebSocket communications to securely exfiltrate data and maintain command and control (C2) channels. The malware also uses a novel persistence mechanism leveraging signal handlers, which is an uncommon method to maintain foothold on infected systems. Additionally, NimDoor deploys AppleScripts acting as beacons and backdoors, enabling further control and data exfiltration. The infection chain begins with social engineering via Telegram, where victims are lured into executing malicious scripts and binaries. Once active, NimDoor targets sensitive data including browser data, macOS Keychain credentials, and Telegram user information, enabling attackers to harvest authentication tokens, private keys, and other credentials critical for Web3 and crypto platforms. The combination of these techniques reflects a highly targeted campaign aimed at compromising the confidentiality and integrity of cryptocurrency assets and related infrastructure on macOS systems. The use of Nim as a development language and the complex multi-stage attack chain indicate a high level of sophistication and intent to evade detection and analysis.
Potential Impact
For European organizations involved in Web3, cryptocurrency trading, blockchain development, or crypto asset management, NimDoor poses a significant risk. The malware’s ability to exfiltrate Keychain credentials and browser data threatens the confidentiality of private keys and authentication tokens, potentially leading to unauthorized access to crypto wallets and platforms. This could result in direct financial losses, reputational damage, and regulatory scrutiny under GDPR due to the exposure of personal data. The persistence and stealth techniques increase the likelihood of prolonged undetected presence, enabling attackers to conduct extended espionage or asset theft. Given the increasing adoption of macOS devices in European tech sectors and the growing crypto economy, this threat could disrupt operations and erode trust in digital asset security. Furthermore, the targeting of Telegram user information may compromise communication confidentiality, impacting collaboration and incident response capabilities. The medium severity rating reflects the targeted nature and complexity, but the potential financial and operational impact on European crypto businesses is substantial.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice: 1) Enhance endpoint detection and response (EDR) solutions to specifically detect Nim-compiled binaries and monitor for unusual process injection and signal handler usage on macOS. 2) Deploy network monitoring to identify and decrypt suspicious WebSocket traffic patterns, especially encrypted communications to unknown external endpoints. 3) Restrict and monitor AppleScript execution, particularly scripts initiated from untrusted sources or Telegram-related processes. 4) Conduct user awareness training focused on social engineering via Telegram and other messaging platforms, emphasizing the risks of executing unsolicited scripts or binaries. 5) Enforce strict application whitelisting and macOS system integrity protections to prevent unauthorized persistence mechanisms. 6) Regularly audit and secure macOS Keychain access policies and browser credential storage. 7) Implement multi-factor authentication (MFA) on all crypto platforms and wallets to mitigate credential theft impact. 8) Maintain up-to-date threat intelligence feeds to detect emerging NimDoor variants and related TTPs. 9) Establish incident response plans tailored to macOS and crypto platform compromises, including forensic capabilities to analyze Nim binaries.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware"]
- Adversary
- DPRK
- Pulse Id
- 6867a14ec736faf23ba172a2
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash13c07ccb4117bfba9921e45c39b10339 | — | |
hash023a15ac687e2d2e187d03e9976a89ef5f6c1617 | — | |
hash027d4020f2dd1eb473636bc112a84f0a90b6651c | — | |
hash0602a5b8f089f957eeda51f81ac0f9ad4e336b87 | — | |
hash06566eabf54caafe36ebe94430d392b9cf3426ba | — | |
hash08af4c21cd0a165695c756b6fda37016197b01e7 | — | |
hash16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59 | — | |
hash1a5392102d57e9ea4dd33d3b7181d66b4d08d01d | — | |
hash1e76f497051829fa804e72b9d14f44da5a531df8 | — | |
hash2c0177b302c4643c49dd7016530a4749298d964c | — | |
hash2d746dda85805c79b5f6ea376f97d9b2f547da5d | — | |
hash2ed2edec8ccc44292410042c730c190027b87930 | — | |
hash3168e996cb20bd7b4208d0864e962a4b70c5a0e7 | — | |
hash4743d5202dbe565721d75f7fb1eca43266a652d4 | — | |
hash5b16e9d6e92be2124ba496bf82d38fb35681c7ad | — | |
hash79f37e0b728de2c5a4bfe8fcf292941d54e121b8 | — | |
hash7c04225a62b953e1268653f637b569a3b2eb06f8 | — | |
hash945fcd3e08854a081c04c06eeb95ad6e0d9cdc19 | — | |
hasha25c06e8545666d6d2a88c8da300cf3383149d5a | — | |
hashbb72ca0e19a95c48a9ee4fd658958a0ae2af44b6 | — | |
hashc9540dee9bdb28894332c5a74f696b4f94e4680c | — | |
hashe227e2e4a6ffb7280dfe7618be20514823d3e4f5 | — | |
hashee3795f6418fc0cacbe884a8eb803498c2b5776f | — | |
hash469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f | — |
Domain
Value | Description | Copy |
---|---|---|
domaindataupload.store | — | |
domainfirstfromsep.online | — | |
domainsafeup.store | — | |
domainwriteup.live | — | |
domainsupport.us05web-zoom.cloud | — | |
domainsupport.us05web-zoom.forum | — | |
domainsupport.us05web-zoom.pro | — | |
domainsupport.us06web-zoom.online | — |
Threat ID: 6867a4e46f40f0eb729fc14a
Added to database: 7/4/2025, 9:54:44 AM
Last enriched: 7/4/2025, 10:09:42 AM
Last updated: 7/4/2025, 10:21:50 PM
Views: 3
Related Threats
ThreatFox IOCs for 2025-07-04
MediumGamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset
MediumDiscovery of Qwizzserial: A New Android SMS Stealer Family
MediumA flaw in Catwatchful spyware exposed logins of +62,000 users
MediumHunters International Ransomware Gang Rebrands as World Leaks
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.