Campaigns
NimDoor Strikes- DPRK’s Nim‑based macOS Malware Hits Crypto-Web3

NimDoor Strikes- DPRK’s Nim‑based macOS Malware Hits Crypto-Web3

NimDoorDPRKmacOSMalwareWeb3ThreatTelegramPhishing
The NimDoor campaign targets macOS users in the Web3 and crypto sectors using social engineering and fake Zoom update scripts. North Korean threat actors deploy malware written in Nim and C plus to steal browser data, Telegram files, and credentials. The malware uses stealthy techniques like process injection and encrypted communication to avoid detection.

Indicators of Compromise

writeup.live
dataupload.store
support.us05web-zoom.cloud
safeup.store
support.us05web-zoom.pro
support.us05web-zoom.forum
firstfromsep.online
support.us06web-zoom.online

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1555.001 Credentials from Password Stores: Keychain
ID Data Source Data Component Detects

DS0017

Command

Command Execution

Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.

Analytic 1 - Commands indicating credential searches in Keychain.

index=security sourcetype="macos_secure"(event_type="process" AND (command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain") OR command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain")))

DS0022

File

File Access

Monitor for Keychain files being accessed that may be related to malicious credential collection.

Analytic 1 - Unauthorized access to Keychain files.

index=security sourcetype="macos_secure"(event_type="file_open" AND file_path IN ("~/Library/Keychains/", "/Library/Keychains/", "/Network/Library/Keychains/*"))

DS0009

Process

OS API Execution

Monitor for Keychain Services API calls, specifically legacy extensions such as SecKeychainFindInternetPassword, that may collect Keychain data from a system to acquire credentials.[15]

Analytic 1 - Suspicious Keychain API calls.

index=security sourcetype="macos_secure"(event_type="api_call" AND api IN ("SecKeychainCopySearchList", "SecKeychainFindGenericPassword", "SecKeychainFindInternetPassword", "SecKeychainOpen", "SecKeychainCopyDefault", "SecItemCopyMatching"))

Process Creation

Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d.

Analytic 1 - New processes with parameters indicating attempts to manipulate keychains.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

Process Creation

T1082 - System Information Discovery
ID Data Source Data Component Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor discovery commands in the /var/log/shell.log history file.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

T1059.002 - AppleScript
ID Data Source Data Component Detects

Observed Countries250

AD (795)
AE (539)
AF (37)
AG (970)
AI (652)
AL (348)
AM (983)
AO (48)
AQ (705)
AR (83)
AS (135)
AT (851)
AU (536)
AW (325)
AX (744)
AZ (543)
BA (783)
BB (85)
BD (453)
BE (273)
BF (955)
BG (496)
BH (26)
BI (484)
BJ (644)
BL (42)
BM (401)
BN (527)
BO (454)
BQ (138)
BR (411)
BS (975)
BT (892)
BV (165)
BW (378)
BY (688)
BZ (592)
CA (808)
CC (742)
CD (325)
CF (170)
CG (816)
CH (410)
CI (617)
CK (196)
CL (663)
CM (230)
CN (876)
CO (417)
CR (667)
CU (471)
CV (105)
CW (208)
CX (534)
CY (569)
CZ (40)
DE (141)
DJ (535)
DK (460)
DM (469)
DO (925)
DZ (669)
EC (433)
EE (936)
EG (140)
EH (884)
ER (941)
ES (598)
ET (4)
FI (663)
FJ (898)
FK (824)
FM (687)
FO (1)
FR (898)
GA (14)
GB (529)
GD (749)
GE (30)
GF (564)
GG (557)
GH (146)
GI (619)
GL (298)
GM (245)
GN (622)
GP (735)
GQ (956)
GR (784)
GS (663)
GT (862)
GU (96)
GW (781)
GY (901)
HK (693)
HM (507)
HN (93)
HR (284)
HT (536)
HU (164)
ID (202)
IE (346)
IL (770)
IM (36)
IN (659)
IO (416)
IQ (912)
IR (649)
IS (835)
IT (811)
JE (549)
JM (346)
JO (12)
JP (193)
KE (797)
KG (591)
KH (845)
KI (395)
KM (825)
KN (144)
KP (708)
KR (324)
KW (860)
KY (721)
KZ (453)
LA (829)
LB (92)
LC (647)
LI (979)
LK (336)
LR (549)
LS (728)
LT (567)
LU (786)
LV (828)
LY (42)
MA (46)
MC (157)
MD (380)
ME (779)
MF (916)
MG (136)
MH (233)
MK (508)
ML (350)
MM (883)
MN (308)
MO (33)
MP (918)
MQ (345)
MR (511)
MS (823)
MT (614)
MU (320)
MV (19)
MW (236)
MX (751)
MY (468)
MZ (119)
NA (386)
NC (541)
NE (986)
NF (208)
NG (707)
NI (111)
NL (405)
NO (468)
NP (679)
NR (954)
NU (416)
NZ (462)
OM (639)
PA (912)
PE (166)
PF (757)
PG (967)
PH (742)
PK (411)
PL (106)
PM (464)
PN (962)
PR (630)
PS (327)
PT (2)
PW (195)
PY (324)
QA (354)
RE (794)
RO (123)
RS (455)
RU (126)
RW (333)
SA (587)
SB (370)
SC (378)
SD (742)
SE (244)
SG (94)
SH (476)
SI (944)
SJ (480)
SK (655)
SL (833)
SM (205)
SN (209)
SO (197)
SR (611)
SS (288)
ST (880)
SV (200)
SX (891)
SY (919)
SZ (153)
TC (540)
TD (999)
TF (285)
TG (666)
TH (207)
TJ (621)
TK (192)
TL (346)
TM (126)
TN (821)
TO (550)
TR (858)
TT (788)
TV (914)
TW (429)
TZ (127)
UA (819)
UG (695)
UM (242)
US (681)
UY (13)
UZ (858)
VA (926)
VC (836)
VE (460)
VG (208)
VI (224)
VN (614)
VU (541)
WF (625)
WS (337)
XK (620)
YE (89)
YT (533)
ZA (787)
ZM (523)
ZW (589)