Ethical Hacking News
North Korea-linked threat actors have been actively spreading a malicious piece of malware, dubbed NimDoor, via fake Zoom updates on macOS systems. This latest attack highlights the growing threat posed by state-sponsored hackers and their ability to adapt and evolve their tactics. The malware is designed to steal sensitive data from cryptocurrency firms and other Web3 businesses, employing complex encryption techniques and process injection methods to evade detection.
North Korea-linked threat actors have spread a malicious piece of malware, NimDoor, via fake Zoom updates on macOS systems. The malware is designed to steal sensitive data from cryptocurrency firms and other Web3 businesses. The attack uses encrypted communications and complex encryption techniques, making it challenging for security researchers to analyze and track. The malware steals browser history and Keychain credentials, and employs a process injection technique to persist on systems even after an attempt is made to terminate it. North Korea-linked threat actors have been using a unique combination of languages, including Nim, AppleScript, and C++. The attack chain starts with fake Zoom invites via Telegram and Calendly, which trick victims into installing the malicious software. The malware uses rare macOS injection, complex encryption, and WebSocket C2 comms to exfiltrate system and user data.
North Korea-linked threat actors have once again demonstrated their sophistication and cunning by spreading a malicious piece of malware, dubbed NimDoor, via fake Zoom updates on macOS systems. This latest attack highlights the growing threat posed by state-sponsored hackers and their ability to adapt and evolve their tactics.
According to recent reports from SentinelOne, a leading cybersecurity firm, North Korea-linked threat actors have been actively spreading NimDoor, a rare backdoor malware that is designed to steal sensitive data from cryptocurrency firms and other Web3 businesses. The malware is particularly noteworthy for its use of encrypted communications and complex encryption techniques, making it challenging for security researchers to analyze and track.
The attack appears to have begun with the distribution of fake Zoom updates via Calendly or Telegram, which tricked victims into installing the malicious software. Once installed, NimDoor proceeds to steal sensitive data from the compromised system, including browser history and Keychain credentials. The malware also employs a process injection technique, which allows it to persist on systems even after an attempt is made to terminate it.
Furthermore, SentinelOne's analysis revealed that North Korea-linked threat actors have been using a unique combination of languages, including Nim, AppleScript, and C++. This unusual mix of languages makes NimDoor particularly difficult to analyze and understand, as it employs complex functions and compilation techniques to evade detection.
The attack chain in recent NimDoor attacks starts with fake Zoom invites via Telegram and Calendly. Victims receive a script named “zoom_sdk_support.scpt” with 10,000 lines of padding and a typo (“Zook”) that hides its true function. The script fetches a second-stage payload from lookalike domains like support.us05web-zoom[.]forum, mimicking real Zoom URLs. This launches the core malware, signaling a broader, targeted campaign with custom links per victim.
Threat actors dropped two Mach-O binaries (‘a’ in C++, ‘installer√¨ in Nim) to /tmp, triggering separate infection chains. A decrypted malware for data theft, including browser and Telegram data. The installer ensured persistence with deceptive Nim binaries. Malware used rare macOS injection, complex encryption, and WebSocket C2 comms to exfiltrate system and user data.
In a recent analysis by SentinelLABS, it was discovered that the process injection technique employed by NimDoor requires specific entitlements to be performed; in this case, the InjectWithDyldArm64 binary has the following entitlements to allow the injection:
com.apple.security.cs.debugger
com.apple.security.get-task-allow
The two payloads maintain persistence by using signal handlers to catch SIGINT and SIGTERM termination signals and redeploy core malware components. These signals handle user or system attempts to terminate a process.
SentinelOne notes that North Korea-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compilation time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries where developer code and Nim runtime code are intermingled even at the function level.
This latest attack highlights the growing threat posed by state-sponsored hackers and their ability to adapt and evolve their tactics. As security researchers continue to analyze and understand the tactics, techniques, and procedures (TTPs) employed by North Korea-linked threat actors, it is essential to remain vigilant and implement effective countermeasures to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korea-Linked-Threat-Actors-Unleash-macOS-NimDoor-Malware-via-Fake-Zoom-Updates-ehn.shtml
https://securityaffairs.com/179643/malware/north-korea-linked-threat-actors-spread-macos-nimdoor-malware-via-fake-zoom-updates.html
Published: Sat Jul 5 13:00:37 2025 by llama3.2 3B Q4_K_M
