North Korean Hackers Write Nim-Based Malware to Breach Web3 Companies
A Fresh Mac Threat: NimDoor
Security researchers at SentinelOne have uncovered a new malware toolkit, nicknamed NimDoor, that highlights how North Korean hacking crews keep reinventing themselves. Unlike many Mac threats, the malicious code is written in the Nim programming language and relies on process injection and encrypted WebSocket traffic to stay under the radar. Even its method of surviving reboots is unusual: the malware hijacks SIGINT
and SIGTERM
signals so that if a victimâor the operating system itselfâtries to shut it down, a persistence routine quietly reinstalls the program.
Stealthy Social Engineering Opens the Door
The infection chain starts with friendly chat messages on apps such as Telegram. Posing as business partners, the attackers invite the target to set up a Zoom meeting through Calendly. A follow-up email contains what looks like an ordinary Zoom link and a script that claims to update the Zoom SDK. When the victim runs the script, an AppleScript behind the scenes downloads a second script from a remote server while still forwarding the user to a genuine Zoom redirect page. This script opens a ZIP archive packed with binaries, plants itself for autostart, and launches a Bashâbased information stealer.
At the core sits a C++ loader identified as InjectWithDyldArm64. It decrypts two embedded files, âTargetâ and âtrojan1_arm64,â launches the former in a suspended state, and injects the latterâs code before letting the process resume. From there, the malware chats with a command-and-control (C2) server, gathers system details, executes shell commands, and changes working directories on demandâall while quietly shipping results back to the operators.
More Payloads and the Role of CoreKitAgent
The injected component can download extra tools that scoop passwords from browsers such as Chrome, Brave, Edge, Firefox, and Arc, and even lift data from the Telegram desktop client. Another Nim-compiled binary, CoreKitAgent, watches for any attempt to kill the rogue process. If the userâor an antivirus programâterminates it, CoreKitAgent redeploys the core files, guaranteeing that the infection springs back to life. An AppleScript beacon, also part of the package, phones home every half-minute with a list of running processes and waits for fresh instructions.
ClickFix Evolves Under the Kimsuky Banner
While NimDoor targets macOS, a separate North Korean groupâknown in the industry as Kimsukyâhas kept busy refining a Windows-focused ruse named ClickFix. South Korean firm Genians reports that since January 2025, the gang has lured national-security experts with spear-phishing messages disguised as interview requests. Victims receive a RAR archive that launches a Visual Basic script, opens a decoy Google Docs page, and then plants remote-access tools through scheduled tasks.
By March 2025, the same trick morphed into emails claiming to come from a senior U.S. security official, complete with a fake authentication workflow that prompted recipients to paste a code into their Run dialog. April brought yet another skin: emails impersonating a Japanese diplomat that asked targets to meet the Japanese ambassador. Each variation ultimately fires off an obfuscated PowerShell command that connects to C2 servers, harvests data, and downloads additional malware.
Fake Job Portals and Remote-Desktop Abuse
Kimsukyâs creativity did not stop there. Investigators also found a counterfeit defense-research job site dotted with fraudulent vacancies. Clicking one of these listings pops up a ClickFix-style prompt that instructs the visitor to open the Windows Run box and execute a PowerShell line. The command installs Chrome Remote Desktop and funnels control back to servers hosted at domains such as kida.plusdocs.kro[.]kr
. Misconfigurations on those servers exposed stolen files, including logs of South Korean victims and even a Chinese IP address tied to a keylogger that loaded BabyShark malware.
GitHub and Dropbox Become Malware Warehouses
Recent probes show Kimsuky using hard-coded GitHub Personal Access Tokens to pull malwareâmost notably the open-source trojan Xeno RATâfrom private repositories and to upload stolen data in return. Other runs fetch malicious RTF documents from Dropbox, leveraging PowerShell downloaders to plant Xeno RAT or its offshoot, MoonPeak. These overlapping infrastructures underline how the group reuses trusted cloud services to sidestep corporate defenses.
A Rapidly Changing Threat Landscape
Statistics from NSFOCUS put Kimsuky and its offshoots among the busiest threat actors observed in May 2025. Together with Konni, they accounted for one in twenty advanced persistent threat incidents tracked that month. The pace of changeânew languages like Nim, novel persistence tricks, and an ever-growing family of social-engineering ploysâshows no sign of slowing. For organizations in the cryptocurrency and national-security arenas, the message is clear: keep patching, monitor those communication channels, and never assume an update prompt or meeting invite is as innocent as it looks.