North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.

Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.

The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.

Advanced macOS malware
In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice."

One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system.

GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.

The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution.

It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions.

The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.