CoreKitAgent
CoreKitAgent is a trojan/dropper component used in North Korea-linked macOS intrusion chains associated with Lazarus Group sub-cluster BlueNoroff and the broader NimDoor/DownTroy activity targeting Web3, cryptocurrency, tech, and venture capital victims. It has been observed in social-engineering campaigns in which targets are lured via Telegram into fake Zoom or Microsoft Teams meetings and prompted to run a malicious "SDK update" script. In reported chains, CoreKitAgent is dropped or launched by Nim-based executables and is used in DownTroy v2 as a dropper to launch the Nimcore loader, which then launches AppleScript-based DownTroy (also referred to as NimDoor) to retrieve additional malicious scripts. Reporting also states CoreKitAgent monitors for user attempts to kill the malware process and helps ensure persistence. It is part of a multi-stage macOS malware ecosystem that includes AppleScript staging, persistence, command-and-control communications, and follow-on credential and data theft from browsers, Telegram, Keychain-related sources, and other applications. The activity has been attributed to DPRK-linked operators, with victims observed in Web3 and crypto-related organizations across multiple countries.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The researchers detail how NimDoor deploys two key binaries: a loader with the misspelled name GoogIe LLC (using an uppercase ‘i’ rather than lowercase ‘L’) and a trojan called CoreKitAgent.
DownTroy v2, which uses a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor)...
DownTroy v2, which uses a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor)...
Also dropped as part of the attacks is a collection of Nim-based executable that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Persistence
1 techniquePrivilege Escalation
1 techniqueRecent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Dropper used in the DownTroy v2 chain to launch a loader (Nimcore), which then runs AppleScript-based DownTroy/NimDoor to retrieve additional scripts from an external server.
A macOS trojan/backdoor component in the NimDoor chain that uses a novel signal-based persistence approach: it waits for termination/reboot and then leverages termination signals to write out copies of itself, the loader, and a LaunchAgent for persistence. It also runs a hex-encoded AppleScript to beacon to hardcoded C2 and execute scripts returned by the server.
A Nim-based component in the NimDoor toolset that monitors for termination attempts and helps ensure persistence/resilience by triggering deployment of core components when defenders/users try to kill the malware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.