A new macOS malware named NimDoor is being utilized by North Korean hackers to target web3 and cryptocurrency organizations.

The attack chain begins with social engineering tactics, where victims are contacted via Telegram and lured into executing a malicious Zoom SDK update.

These malicious scripts, disguised as legitimate Zoom SDK updates, are heavily padded to evade detection while fetching additional malware from mimicked domains.

NimDoor is composed of C++ and Nim-compiled binaries, with key components including an installer, a data collection module named 'GoogIe LLC', and 'CoreKitAgent'.

The most sophisticated element, 'CoreKitAgent', operates as an event-driven binary and employs macOS's kqueue mechanism for effective execution management.

To protect against such threats, users are advised to avoid executing unexpected scripts, keep their systems updated, and implement strong security practices.

Once installed, NimDoor maintains persistent access through Mach-O binaries and advanced techniques like process injection and encrypted communications.

Researchers have noted that NimDoor employs a novel persistence mechanism, allowing it to reinstall itself if terminated or if the system is rebooted.

The malware communicates with attacker infrastructure every 30 seconds, exfiltrating sensitive data and executing remote commands, effectively acting as a backdoor.

NimDoor's complexity is enhanced by its use of multiple programming languages, including AppleScript, Bash, C++, and Nim, making it more advanced than typical macOS threats.

The downloaded malware establishes an encrypted connection with a command-and-control server, facilitating ongoing communication with the attackers.

Users should be cautious about software downloads from unreliable sources and inspect URLs carefully to avoid falling victim to such sophisticated attacks.