North Korean Hackers Write Nim-Based Malware to Breach Web3 Companies

A Fresh Mac Threat: NimDoor

Security researchers at SentinelOne have uncovered a new malware toolkit, nicknamed NimDoor, that highlights how North Korean hacking crews keep reinventing themselves. Unlike many Mac threats, the malicious code is written in the Nim programming language and relies on process injection and encrypted WebSocket traffic to stay under the radar. Even its method of surviving reboots is unusual: the malware hijacks SIGINT and SIGTERM signals so that if a victim—or the operating system itself—tries to shut it down, a persistence routine quietly reinstalls the program.

Stealthy Social Engineering Opens the Door

The infection chain starts with friendly chat messages on apps such as Telegram. Posing as business partners, the attackers invite the target to set up a Zoom meeting through Calendly. A follow-up email contains what looks like an ordinary Zoom link and a script that claims to update the Zoom SDK. When the victim runs the script, an AppleScript behind the scenes downloads a second script from a remote server while still forwarding the user to a genuine Zoom redirect page. This script opens a ZIP archive packed with binaries, plants itself for autostart, and launches a Bash‐based information stealer.

At the core sits a C++ loader identified as InjectWithDyldArm64. It decrypts two embedded files, “Target” and “trojan1_arm64,” launches the former in a suspended state, and injects the latter’s code before letting the process resume. From there, the malware chats with a command-and-control (C2) server, gathers system details, executes shell commands, and changes working directories on demand—all while quietly shipping results back to the operators.

More Payloads and the Role of CoreKitAgent

The injected component can download extra tools that scoop passwords from browsers such as Chrome, Brave, Edge, Firefox, and Arc, and even lift data from the Telegram desktop client. Another Nim-compiled binary, CoreKitAgent, watches for any attempt to kill the rogue process. If the user—or an antivirus program—terminates it, CoreKitAgent redeploys the core files, guaranteeing that the infection springs back to life. An AppleScript beacon, also part of the package, phones home every half-minute with a list of running processes and waits for fresh instructions.

ClickFix Evolves Under the Kimsuky Banner

While NimDoor targets macOS, a separate North Korean group—known in the industry as Kimsuky—has kept busy refining a Windows-focused ruse named ClickFix. South Korean firm Genians reports that since January 2025, the gang has lured national-security experts with spear-phishing messages disguised as interview requests. Victims receive a RAR archive that launches a Visual Basic script, opens a decoy Google Docs page, and then plants remote-access tools through scheduled tasks.

By March 2025, the same trick morphed into emails claiming to come from a senior U.S. security official, complete with a fake authentication workflow that prompted recipients to paste a code into their Run dialog. April brought yet another skin: emails impersonating a Japanese diplomat that asked targets to meet the Japanese ambassador. Each variation ultimately fires off an obfuscated PowerShell command that connects to C2 servers, harvests data, and downloads additional malware.

Fake Job Portals and Remote-Desktop Abuse

Kimsuky’s creativity did not stop there. Investigators also found a counterfeit defense-research job site dotted with fraudulent vacancies. Clicking one of these listings pops up a ClickFix-style prompt that instructs the visitor to open the Windows Run box and execute a PowerShell line. The command installs Chrome Remote Desktop and funnels control back to servers hosted at domains such as kida.plusdocs.kro[.]kr. Misconfigurations on those servers exposed stolen files, including logs of South Korean victims and even a Chinese IP address tied to a keylogger that loaded BabyShark malware.

GitHub and Dropbox Become Malware Warehouses

Recent probes show Kimsuky using hard-coded GitHub Personal Access Tokens to pull malware—most notably the open-source trojan Xeno RAT—from private repositories and to upload stolen data in return. Other runs fetch malicious RTF documents from Dropbox, leveraging PowerShell downloaders to plant Xeno RAT or its offshoot, MoonPeak. These overlapping infrastructures underline how the group reuses trusted cloud services to sidestep corporate defenses.

A Rapidly Changing Threat Landscape

Statistics from NSFOCUS put Kimsuky and its offshoots among the busiest threat actors observed in May 2025. Together with Konni, they accounted for one in twenty advanced persistent threat incidents tracked that month. The pace of change—new languages like Nim, novel persistence tricks, and an ever-growing family of social-engineering ploys—shows no sign of slowing. For organizations in the cryptocurrency and national-security arenas, the message is clear: keep patching, monitor those communication channels, and never assume an update prompt or meeting invite is as innocent as it looks.

Privacy Preference Center