macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
Contents
Executive Summary
- DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.
- Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via
wss
, the TLS-encrypted version of the WebSocket protocol. - A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
- The threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors.
- Bash scripts are used to exfiltrate Keychain credentials, browser data and Telegram user data.
- SentinelLABS’ analysis highlights novel TTPs and malware artifacts that tie together previously reported components, extending our understanding of the threat actors’ evolving playbook.
In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several …
- DPRK threat actors are utilizing Nim-compiled binaries and multiple attack chains in a campaign targeting Web3 and Crypto-related businesses.
- Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via
wss
, the TLS-encrypted version of the WebSocket protocol. - A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
- The threat actors deploy AppleScripts widely, both to gain initial access and also later in the attack chain to function as lightweight beacons and backdoors.
- Bash scripts are used to exfiltrate Keychain credentials, browser data and Telegram user data.
- SentinelLABS’ analysis highlights novel TTPs and malware artifacts that tie together previously reported components, extending our understanding of the threat actors’ evolving playbook.
In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several …
IoC
http://support.us05web-zoom.forum
http://pkgZnimcryptoZutils_u257
http://dataupload.store
http://support.us05web-zoom.pro
https://dataupload.store/uploadfiles
http://support.us05web-zoom.cloud
http://safeup.store
http://firstfromsep.online
http://firstfromsep.online/client
http://us05web.zoom.us
http://writeup.live
https://us05web.zoom.us/j/4724012536?pwd=ADlAXdxkUclRhvYoJbpKQmizkQ1RV4.1
http://support.us06web-zoom.online
[email protected]
79f37e0b728de2c5a4bfe8fcf292941d54e121b8
2ed2edec8ccc44292410042c730c190027b87930
2d746dda85805c79b5f6ea376f97d9b2f547da5d
3168e996cb20bd7b4208d0864e962a4b70c5a0e7
ee3795f6418fc0cacbe884a8eb803498c2b5776f
4743d5202dbe565721d75f7fb1eca43266a652d4
c9540dee9bdb28894332c5a74f696b4f94e4680c
06566eabf54caafe36ebe94430d392b9cf3426ba
a25c06e8545666d6d2a88c8da300cf3383149d5a
945fcd3e08854a081c04c06eeb95ad6e0d9cdc19
e227e2e4a6ffb7280dfe7618be20514823d3e4f5
0602a5b8f089f957eeda51f81ac0f9ad4e336b87
1a5392102d57e9ea4dd33d3b7181d66b4d08d01d
1e76f497051829fa804e72b9d14f44da5a531df8
08af4c21cd0a165695c756b6fda37016197b01e7
023a15ac687e2d2e187d03e9976a89ef5f6c1617
16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59
027d4020f2dd1eb473636bc112a84f0a90b6651c
5b16e9d6e92be2124ba496bf82d38fb35681c7ad
7c04225a62b953e1268653f637b569a3b2eb06f8
bb72ca0e19a95c48a9ee4fd658958a0ae2af44b6
2c0177b302c4643c49dd7016530a4749298d964c
http://pkgZnimcryptoZutils_u257
http://dataupload.store
http://support.us05web-zoom.pro
https://dataupload.store/uploadfiles
http://support.us05web-zoom.cloud
http://safeup.store
http://firstfromsep.online
http://firstfromsep.online/client
http://us05web.zoom.us
http://writeup.live
https://us05web.zoom.us/j/4724012536?pwd=ADlAXdxkUclRhvYoJbpKQmizkQ1RV4.1
http://support.us06web-zoom.online
[email protected]
79f37e0b728de2c5a4bfe8fcf292941d54e121b8
2ed2edec8ccc44292410042c730c190027b87930
2d746dda85805c79b5f6ea376f97d9b2f547da5d
3168e996cb20bd7b4208d0864e962a4b70c5a0e7
ee3795f6418fc0cacbe884a8eb803498c2b5776f
4743d5202dbe565721d75f7fb1eca43266a652d4
c9540dee9bdb28894332c5a74f696b4f94e4680c
06566eabf54caafe36ebe94430d392b9cf3426ba
a25c06e8545666d6d2a88c8da300cf3383149d5a
945fcd3e08854a081c04c06eeb95ad6e0d9cdc19
e227e2e4a6ffb7280dfe7618be20514823d3e4f5
0602a5b8f089f957eeda51f81ac0f9ad4e336b87
1a5392102d57e9ea4dd33d3b7181d66b4d08d01d
1e76f497051829fa804e72b9d14f44da5a531df8
08af4c21cd0a165695c756b6fda37016197b01e7
023a15ac687e2d2e187d03e9976a89ef5f6c1617
16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59
027d4020f2dd1eb473636bc112a84f0a90b6651c
5b16e9d6e92be2124ba496bf82d38fb35681c7ad
7c04225a62b953e1268653f637b569a3b2eb06f8
bb72ca0e19a95c48a9ee4fd658958a0ae2af44b6
2c0177b302c4643c49dd7016530a4749298d964c