A recent investigation by SentinelLABS has revealed an attack campaign in which North Korean threat actors are using Nim-compiled malware to compromise organizations in the Web3 and cryptocurrency sectors.
The malware family, which the researchers have named NimDoor, stands out for its technical complexity and unusual programming language choices.
In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup. The attack began classically. An attacker posed as a trusted contact via Telegram and invited the victim to a Zoom call via Calendly. An email followed with a link to a supposed Zoom SDK update. However, this link led to a malicious AppleScript file. This file was deliberately filled with 10,000 empty lines to make analysis more difficult. It contained code that downloaded and executed a script from a domain that closely resembled a legitimate Zoom URL.
This initial access resulted in the installation of multiple malicious components. Among other things, a Mach-O file named ‘a’ was placed on the system. This binary was written in C++ and executed encrypted payloads that went beyond simple data collection. The ‘a’ binary performed code injection—a technique rarely seen in macOS malware—injecting another binary, ‘trojan1_arm64’, into a seemingly innocent process. This code then communicated with a command-and-control server via the secure WebSocket protocol (wss), applying multiple layers of encryption.
Encrypted configuration file
An essential aspect of this campaign is the use of Nim-compiled binaries such as ‘installer’, ‘GoogIe LLC’ (where the capital ‘i’ is misleadingly used instead of a lowercase ‘L’) and ‘CoreKitAgent’. The installer ensures persistence by creating LaunchAgents that automatically start malicious processes upon login. GoogIe LLC collects system information and writes an encrypted configuration file that CoreKitAgent later reads.
CoreKitAgent is the most complex component of the NimDoor malware. It works as an event-driven application based on the macOS kqueue mechanism. What makes this binary exceptional is its ability to intercept system interrupts. When a user attempts to terminate the process via Terminal, for example, CoreKitAgent intercepts this signal (SIGINT or SIGTERM) and immediately performs a reinstallation procedure. This keeps the malicious components active even after removal attempts.
In addition, CoreKitAgent decodes a hidden AppleScript that generates outgoing network traffic every 30 seconds to hardcoded servers such as writeup[.]live and safeup[.]store. The script collects information about active processes and executes commands it receives from the server, functioning as a lightweight backdoor.
In the final stage of the attack, two bash scripts are executed: “upl” and “tlgrm.” The upl script collects browser data (including passwords), Keychain files, and shell histories, and sends them to a central server. Tlgrm specifically targets the Telegram database and associated encryption key, presumably to read or decrypt victims’ private messages.
The NimDoor attack campaign shows that North Korean hackers are continuing to expand their toolkit. By choosing lesser-known programming languages such as Nim and using techniques that analysts rarely see in macOS malware—such as signal-based persistence and wss communication—they are able to evade detection and maintain long-term access to systems.