A newly identified macOS malware family, dubbed NimDoor, is raising serious concerns among cybersecurity professionals due to its advanced persistence mechanisms and focus on the Web3 and cryptocurrency sectors. Security researchers have attributed NimDoor’s operations to North Korean (DPRK) threat actors, highlighting a significant escalation in the sophistication of macOS-targeted attacks.
Novel Persistence Through Signal-Based Self-Revival
What sets NimDoor apart from previous macOS threats is its innovative approach to persistence. The malware installs custom handlers for the SIGINT and SIGTERM signals—standard signals used to terminate processes. When a user or security tool attempts to kill the NimDoor process, these handlers activate routines that automatically reinstall or relaunch the malware. This ensures that NimDoor remains active, even after direct attempts at removal, making it exceptionally resilient to basic defensive actions.
Multi-Stage Infection Chain
NimDoor’s infection chain begins with social engineering tactics. Attackers impersonate trusted contacts on messaging platforms such as Telegram, luring victims into downloading and executing a malicious file disguised as a Zoom SDK update. These payloads are often distributed through legitimate-looking channels, including Calendly invitations and email, increasing the likelihood of successful compromise.
Technical Sophistication and Stealth
The core binaries of NimDoor are written in the Nim programming language—a rarity in the macOS malware landscape. This choice complicates static analysis and enables the malware to operate across multiple platforms with minimal modifications. Once installed, NimDoor employs process injection techniques, leveraging special entitlements to further entrench itself within the system. Communications with command-and-control (C2) servers are secured using TLS-encrypted WebSockets, enhancing operational secrecy.
Aggressive Data Exfiltration
NimDoor utilizes Bash scripts to systematically exfiltrate sensitive information. Targeted data includes Keychain credentials, browser data from popular browsers (Arc, Brave, Firefox, Chrome, Edge), and Telegram user data. The malware also seeks out encrypted local Telegram databases, with the intent to crack them offline and access additional sensitive information.
Anti-Analysis and Deceptive Persistence
To evade detection, components such as CoreKitAgent employ asynchronous execution and delayed activation—sometimes sleeping for up to 10 minutes before initiating malicious activity. Persistence is further maintained through deceptive LaunchAgents, which are named to closely resemble legitimate software (for example, “GoogIe LLC” with a capital “i” instead of a lowercase “l”), making them difficult to distinguish from legitimate system files.
