Skip to main content

🚨 North Korean Hackers Deploy “NimDoor” macOS Malware via Fake Zoom Updates

Security researchers at SentinelOne have uncovered a sophisticated attack campaign involving North Korean threat actors—linked to the BlueNoroff/Lazarus APT group—targeting Web3 and cryptocurrency firms. The attackers are using fake Zoom SDK update scripts to trick macOS users into installing a rare Nim‑compiled backdoor dubbed NimDoor

🧠 The Social Engineering Setup

  • Victims are contacted on Telegram by someone posing as a trusted peer and invited to schedule a meeting via Calendly.

  • They then receive an email with a “Zoom meeting” link and instructions to run a Zoom SDK update. The script is heavily obfuscated, padded with thousands of blank lines to disguise its true purpose.


🛠 Infection Chain & Techniques

  1. AppleScript Downloader
    A malicious AppleScript triggers the download of a second-stage payload from a spoofed Zoom domain

  2. Dual‑Channel Loaders

    • A C++ loader (InjectWithDyldArm64) uses process injection on macOS to deploy trojan payloads like trojan1_arm64 that steal browser, Keychain, shell, and Telegram data.

    • A Nim‑compiled loader drops two backdoors masquerading as legitimate macOS services: GoogIe LLC (notice the uppercase ‘i’) and CoreKitAgent.

  3. Advanced Persistence

    • The Nim backdoors use kqueue for event‑driven operations and employ SIGINT/SIGTERM handlers to maintain persistence—automatically restarting if terminated or the system reboots

    • They communicate with C2 servers over encrypted WebSocket (wss) and use AppleScript beacons to check in every 30 seconds

    • Data Exfiltration
      Bash scripts are used to harvest sensitive user data—Keychain credentials, browser history, Telegram chats, and more


🌍 Why This Attack Is Notably Dangerous

  • Uncommon Nim Language: Nim is rarely used in malware, making analysis and detection far more difficult

  • Multi‑Stage Obfuscation: Each stage blends scripting with compiled binaries to evade traditional antivirus and sandbox detection.

  • Crypto Industry Focus: Targeting web3 and crypto firms, the malware is designed to harvest high-value digital credentials 

  • 🛡 What Organizations Should Do

    • Security Awareness Training: Teach employees to be wary of Zoom update prompts, especially those arriving via email or Telegram.

    • Endpoint Protection: Use tools capable of detecting unusual binaries (especially Nim‑based ones) and process injection behaviors.

    • Script Restrictions: Tighten macOS settings to only allow signed AppleScripts from trusted sources.

    • Network Monitoring: Watch for unexpected WebSocket traffic to unfamiliar C2 servers.

    • Cross‑Platform Collaboration: Share IOCs and attack analyses across crypto/Web3 communities to strengthen collective defenses.

    🧭 Final Thoughts

    The NimDoor campaign shows how determined attackers can combine social engineering, obscure programming languages, and advanced macOS techniques to deliver persistent, hard‑to‑detect malware—all wrapped in a seemingly benign Zoom update.


Comments

Post a Comment

Popular posts from this blog

Unveiling IconAds: A Sneaky Mobile Ad-Fraud Epidemic

In early July 2025, cybersecurity experts at HUMAN's Satori Threat Intelligence team and others revealed a massive ad-fraud operation on Android— IconAds —comprising 352 malicious apps on Google Play. These apps cleverly hid themselves to generate 1.2 billion fraudulent ad bid requests per day at their peak 🔍 How IconAds Works Icon‑Hiding Stealth Tactics Uses Android's activity-alias feature to swap legitimate app icons with invisible placeholders—presenting blank or Google-branded icons—making detection nearly impossible Some variants impersonate Google Play, Google Maps, or Gmail, leading users to unknowingly open the malicious app Out-of-Context Full-Screen Ads Apps launch intrusive ads on user screens independently of user action—disrupting user experience while secretly monetizing ad impressions Layered Obfuscation Code is heavily obfuscated using tools like O-MVLL and native libraries. Network traffic masks OS version, device model, and language using r...
Post a Comment
Read more