NimDoor
NimDoor is a macOS malware family and backdoor campaign tracked by SentinelLABS/SentinelOne and attributed with high confidence to North Korea-linked threat actors, likely Stardust Chollima (also known as TA444, APT38, BlueNoroff), a financially motivated Lazarus subunit. It targets Web3 and cryptocurrency organizations and has been active since at least April 2025.
Initial access relies on targeted social engineering over Telegram and Calendly, where victims are invited to a business meeting and instructed to run a fake Zoom SDK update. The lure is commonly delivered as an AppleScript named zoom_sdk_support.scpt, padded with roughly 10,000 lines of whitespace and containing a notable "Zook" typo. That script retrieves additional stages from Zoom-themed spoofed infrastructure including support.us05web-zoom[.]pro, support.us05web-zoom[.]forum, support.us05web-zoom[.]cloud, and support.us06web-zoom[.]online, while also using a legitimate Zoom redirect link.
The infection chain uses an uncommon mix of AppleScript, Bash, C++, and Nim-compiled Mach-O binaries. One observed chain drops binaries such as a and installer into /private/var/tmp. The C++ loader a (identified as InjectWithDyldArm64) decrypts embedded binaries Target and trojan1_arm64, launches the benign-looking Target in a suspended state, injects trojan1_arm64 using posix_spawn with POSIX_SPAWN_START_SUSPENDED, and resumes it with SIGCONT. The loader carries entitlements com.apple.security.cs.debugger and com.apple.security.get-task-allow to enable this rare macOS process-injection technique.
The injected trojan1_arm64 payload communicates with command-and-control over TLS-encrypted WebSocket at wss://firstfromsep[.]online/client after an HTTP handshake, using layered RC4 encryption, base64 encoding, and multiple hardcoded keys. It supports arbitrary command execution, directory changes, working-directory queries, and system information collection. It also downloads and executes Bash scripts including upl and tlgrm. The upl script steals data from Arc, Brave, Firefox, Google Chrome, Microsoft Edge, Keychain files, and shell history, including /Library/Keychains/System.keychain, ~/Library/Keychains/login.keychain-db, ~/.bash_history, ~/.zsh_history, and ~/.zsh/. The tlgrm script steals Telegram local data including postbox/db and .tempkeyEncrypted. Both scripts exfiltrate to https://dataupload[.]store/uploadfiles.
A second chain uses Nim-based components including installer, GoogIe LLC, and CoreKitAgent. The installer checks for ~/Library/LaunchAgents/com.google.update.plist, creates directories under ~/Library/CoreKit/ and ~/Library/Application Support/GoogIe LLC/, and writes hidden configuration data under /private/tmp/cfg or /private/tmp/.config. GoogIe LLC, whose name deceptively uses a capital "i" to resemble Google LLC, launches CoreKitAgent and later serves as the LaunchAgent program argument. CoreKitAgent reads the hidden config, writes the LaunchAgent plist com.google.update.plist, and stores a CLIENT_AUTH_KEY derived from the config.
NimDoor persistence is notable for a novel signal-based mechanism on macOS. CoreKitAgent overrides SIGINT and SIGTERM so that termination attempts trigger redeployment of persistence artifacts, including the LaunchAgent, a copy of GoogIe LLC, and a copy of itself, with executable permissions set. Reporting describes this as a first-seen macOS persistence approach and notes the malware can effectively respawn when killed. CoreKitAgent also includes a 10-minute asynchronous sleep assessed as likely anti-VM or sandbox evasion.
CoreKitAgent decodes an embedded AppleScript, writes it to ~/.ses, and launches it via osascript. That AppleScript beacons every 30 seconds to hardcoded C2 domains including writeup[.]live and safeup[.]store, exfiltrates a process listing from the victim host, and executes server-supplied script content, functioning as both beacon and backdoor.
Overall, NimDoor is a targeted macOS backdoor and information stealer focused on cryptocurrency and Web3 victims, with capabilities including staged payload delivery, process injection, LaunchAgent persistence, signal-handler-based self-reinstallation, WebSocket C2, arbitrary command execution, and theft of browser, Keychain, shell history, and Telegram data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
North Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update.
North Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update.
Dubbed ‘NimDoor’, the attack chain begins when targets are lured via Telegram into accepting an invite to a business meeting. A malicious script is triggered by the meeting invite warning the victim that a “Zoom SDK update” is needed.
The cybersecurity company is tracking the malware components collectively under the name NimDoor.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The attack chain begins with a now-familiar social engineering vector: impersonation of a trusted contact over Telegram and inviting the target to schedule a meeting via Calendly. The target is subsequently sent an email containing a Zoom meeting link and instructions to run a so-called “Zoom SDK update script”.
Execution
4 techniques
Execution
Available commands we were able to identify in trojan1_arm64 were as follows: execCmd 12 Execute the arbitrary command provided in the data field.
The threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors.
Persistence
3 techniques
Persistence
When the LaunchAgent is activated by a user login or reboot, GoogIe LLC is launched, which in turn calls CoreKitAgent and the rest of the payload logic.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted... When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan.
Privilege Escalation
4 techniques
Privilege Escalation
Target is spawned by InjectWithDyldArm64 in a suspended state... and injected with the trojan1_arm64 binary’s code. After injection, the suspended Target process is resumed via kill (pid, SIGCONT) and the code from the trojan1_arm64 binary is executed.
When the LaunchAgent is activated by a user login or reboot, GoogIe LLC is launched, which in turn calls CoreKitAgent and the rest of the payload logic.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted... When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan.
Stealth
4 techniques
Stealth
An attacker-controlled domain hosts an AppleScript file named zoom_sdk_support.scpt... This domain name format has been chosen for similarity to the legitimate Zoom meeting domain us05web.zoom[.]us... The misspelling of GoogIe LLC (uppercase ‘i’, not lowercase ‘L’) is intended to help the malware blend in and avoid suspicion.
Target is spawned by InjectWithDyldArm64 in a suspended state... and injected with the trojan1_arm64 binary’s code. After injection, the suspended Target process is resumed via kill (pid, SIGCONT) and the code from the trojan1_arm64 binary is executed.
Credential Access
2 techniques
Credential Access
Discovery
5 techniques
Discovery
On execution, the script beacons out every 30 seconds to one of the two hardcoded C2s, chosen at random, and attempts to post data obtained from listing all running processes on the victim machine.
getSysInfo 234 Get information about the system such as boot time, username, macOS version, machine name, platform and arch.
The upl script is a credential-stealer designed to silently extract browser and system-level information... Browser data is copied to /private/var/tmp/uplex_<username>/<browser>/
Collection
2 techniques
Collection
Command and Control
4 techniques
Command and Control
"remote communications via wss, the TLS-encrypted version of the WebSocket protocol" | "AppleScript that beacons out every 30 seconds to one of two hard-coded command-and-control (C2) servers"
After first negotiating an HTTP handshake, the injected code uses wss to communicate with the C2 – another uncommon technique for macOS malware – at wss://firstfromsep[.]online/client.
IOCs tracked for this family
34 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NimDoor is a Nim-based macOS backdoor targeting Web3 and cryptocurrency platforms, attributed to North Korean threat actors.
NimDoor is a MacOS malware campaign attributed to North Korea-affiliated threat actors, likely Stardust Chollima. It targets Web3 and cryptocurrency organizations using social engineering (fake Zoom updates via Telegram), AppleScript, and Nim/C++ binaries. The malware steals Keychain credentials, browser data, and Telegram information, employs process injection, and maintains persistence through novel signal handlers. It communicates with C2 servers via encrypted WebSockets and is designed to evade detection and hinder analysis.
A rare macOS backdoor written largely in Nim (with AppleScript and C++ components) delivered via fake Zoom update lures. It uses encrypted configuration/communications (including TLS WebSocket/wss C2), performs data theft (e.g., browser history, Keychain credentials, Telegram data), employs persistence (signal-handler based redeployment/reinfection), and includes a relatively uncommon macOS process injection technique requiring specific entitlements.
A macOS backdoor and stealer malware, disguised as a Zoom update, that uses signal-based persistence to respawn itself when killed. It steals system data, targets Telegram databases, and crypto-related information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.