NimDoor
NimDoor is a DPRK-linked macOS malware family and backdoor used by North Korean state-sponsored threat actors in campaigns targeting Web3 and cryptocurrency organizations. Reported targeting includes Web3 startups, crypto-related businesses, and crypto platforms. SentinelLABS grouped the malware family under the name NimDoor, and related reporting cited similar attack chains attributed to DPRK actors. The observed intrusion chain used social engineering via Telegram and Calendly, followed by delivery of a fake Zoom SDK update AppleScript from Zoom-themed spoofed infrastructure. The campaign used a mix of AppleScript, Bash, C++, and Nim components. One execution path deployed a C++ loader that decrypted embedded binaries, spawned a benign-looking target process in a suspended state, and injected a payload using macOS process injection via posix_spawn with POSIX_SPAWN_START_SUSPENDED and SIGCONT. The injected payload communicated with command-and-control over WSS and supported command execution, directory changes, working-directory discovery, and system information collection. It also downloaded Bash scripts that stole data from Arc, Brave, Firefox, Google Chrome, and Microsoft Edge, as well as Keychain material, shell history, and Telegram local encrypted database data, with exfiltration to attacker-controlled infrastructure. A second execution chain used Nim-based binaries including installer, GoogIe LLC, and CoreKitAgent. These components established persistence through a LaunchAgent and hidden configuration files under /private/tmp and user library paths. CoreKitAgent used macOS kqueue and asynchronous Nim execution, included a 10-minute sleep assessed as likely anti-VM or sandbox evasion, and overrode SIGINT and SIGTERM so that termination attempts triggered persistence deployment. CoreKitAgent also decoded and launched an AppleScript backdoor that beaconed every 30 seconds to randomly selected C2 domains and executed server responses via run script. The campaign demonstrates DPRK operators using Nim and other less familiar languages to complicate macOS malware analysis and improve stealth. Known aliases directly reflected in the content: NimDoor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
- Financial Services
Where they're from
Attributed origin per open-source reporting.
- KP
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A North Korean macOS backdoor malware family targeting Web3 and cryptocurrency platforms, part of DPRK's evolving macOS malware playbook.
Backdoor malware used by North Korean state-sponsored hackers to target crypto platforms.
A DPRK-linked macOS intrusion set targeting Web3 and cryptocurrency organizations using social engineering, fake Zoom update lures, AppleScript, C++ and Nim binaries, process injection, WSS-based C2, credential and Telegram data theft, and persistence via LaunchAgents and signal-handler-triggered installation.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.