NimDoor MacOS Malware
Contents
Verticals Targeted: Cryptocurrency
Regions Targeted: Not Specified
Related Families: None
Executive Summary
NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.
Key Takeaways
- NimDoor leverages the Nim programming language, rare for MacOS, to evade detection through complex compile-time execution.
- Attackers impersonate trusted contacts via Telegram, luring victims with fake Zoom SDK update scripts.
- A novel SIGINT/SIGTERM signal handler ensures persistence, reinstalling malware upon termination or reboot.
- Bash scripts steal Keychain credentials, browser data, and Telegram user information.
What is NimDoor?
SentinelOne identified NimDoor , a MacOS malware campaign by North Korea-affiliated threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. The malware has been active since at least April 2025. NimDoor, named for its Nim-compiled binaries, represents an evolution …
Regions Targeted: Not Specified
Related Families: None
Executive Summary
NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.
Key Takeaways
- NimDoor leverages the Nim programming language, rare for MacOS, to evade detection through complex compile-time execution.
- Attackers impersonate trusted contacts via Telegram, luring victims with fake Zoom SDK update scripts.
- A novel SIGINT/SIGTERM signal handler ensures persistence, reinstalling malware upon termination or reboot.
- Bash scripts steal Keychain credentials, browser data, and Telegram user information.
What is NimDoor?
SentinelOne identified NimDoor , a MacOS malware campaign by North Korea-affiliated threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. The malware has been active since at least April 2025. NimDoor, named for its Nim-compiled binaries, represents an evolution …
IoC
[email protected]
69a012ff46565169534ccefb175f87b3cc331b4f94cc5d223c29a036ed771f4e
64c9347d794243be26e811b5eb90fb11c8e74e8aff504bf98481e5ccf9d72fe9
ea8a58bbb6d5614855a470b2d3630197e34fc372760b2b7fa27af8f3456525a6
bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc
41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a
7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb
9c48e2a01d852e08f923a4638ef391b6f89f263558cf2164bf1630c8320798c1
0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df
e6a7c54c01227adcb2a180e62f0082de1c13d61ae913cda379dd0f44a0d0567b
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
69a012ff46565169534ccefb175f87b3cc331b4f94cc5d223c29a036ed771f4e
64c9347d794243be26e811b5eb90fb11c8e74e8aff504bf98481e5ccf9d72fe9
ea8a58bbb6d5614855a470b2d3630197e34fc372760b2b7fa27af8f3456525a6
bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc
41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a
7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb
9c48e2a01d852e08f923a4638ef391b6f89f263558cf2164bf1630c8320798c1
0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df
e6a7c54c01227adcb2a180e62f0082de1c13d61ae913cda379dd0f44a0d0567b
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f