SOC Incident Toolkit
Back to Campaigns
NimDoor Strikes- DPRK’s Nim‑based macOS Malware Hits Crypto-Web3

NimDoor Strikes- DPRK’s Nim‑based macOS Malware Hits Crypto-Web3

NimDoorDPRKmacOSMalwareWeb3ThreatTelegramPhishing

The NimDoor campaign targets macOS users in the Web3 and crypto sectors using social engineering and fake Zoom update scripts. North Korean threat actors deploy malware written in Nim and C plus to steal browser data, Telegram files, and credentials. The malware uses stealthy techniques like process injection and encrypted communication to avoid detection.

Indicators of Compromise

Domains (8)

writeup.livedataupload.storesupport.us05web-zoom.cloudsafeup.storesupport.us05web-zoom.prosupport.us05web-zoom.forumfirstfromsep.onlinesupport.us06web-zoom.online

Hashes (24)

c9540dee9bdb28894332c5a74f696b4f94e4680ca25c06e8545666d6d2a88c8da300cf3383149d5a469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865fbb72ca0e19a95c48a9ee4fd658958a0ae2af44b616a6b0023ba3fde15bd0bba1b17a18bfa00a8f59e227e2e4a6ffb7280dfe7618be20514823d3e4f52c0177b302c4643c49dd7016530a4749298d964c945fcd3e08854a081c04c06eeb95ad6e0d9cdc19023a15ac687e2d2e187d03e9976a89ef5f6c16177c04225a62b953e1268653f637b569a3b2eb06f82d746dda85805c79b5f6ea376f97d9b2f547da5d79f37e0b728de2c5a4bfe8fcf292941d54e121b806566eabf54caafe36ebe94430d392b9cf3426ba5b16e9d6e92be2124ba496bf82d38fb35681c7adee3795f6418fc0cacbe884a8eb803498c2b5776f1e76f497051829fa804e72b9d14f44da5a531df83168e996cb20bd7b4208d0864e962a4b70c5a0e7027d4020f2dd1eb473636bc112a84f0a90b6651c2ed2edec8ccc44292410042c730c190027b879301a5392102d57e9ea4dd33d3b7181d66b4d08d01d+4 more

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The NimDoor campaign marks a sophisticated leap in DPRK-linked cyber threats, employing a rare combination of Nim-based binaries, AppleScript backdoors, and encrypted WebSocket channels to target macOS users in the Web3 and crypto sectors. Its use of signal-based persistence, process injection, and stealthy data theft—covering browser credentials, Keychain secrets, and Telegram databases—demonstrates attackers’ evolving tactics.</p> <p class="content-description">For comprehensive detection and defense, platforms like <a href="https://socradar.io/">SOCRadar</a> offer valuable tools. Their Extended Threat Intelligence and IOC Radar can help monitor C2 domains, signal-based persistence indicators, and anomalous wss connections tied to NimDoor. Using SOCRadar, security teams can gain real-time visibility into targeted campaigns like this and stay ahead of emerging threats.</p> <p class="content-description">By combining EDR, YARA or SIEM rules, and threat intelligence from SOCRadar, organizations in the crypto/Web3 space can better detect, prevent, and respond to advanced macOS intrusions such as NimDoor.</p> </div>

Mitigation

<div class="content-container"> <p class="content-description"><span class="content-title">T1555.001 Credentials from Password Stores: Keychain</span></p> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1027">M1027</a></td> <td><a href="https://attack.mitre.org/mitigations/M1027">Password Policies</a></td> <td>The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.</td> </tr> </tbody> </table> </div> <p class="content-description"><span class="content-title">T1082 - System Information Discovery</span></p> <p class="content-description"><span class="content-title">This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.</span></p> <p class="content-description"><span class="content-title">T1059.002 - AppleScript</span></p> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1045">M1045</a></td> <td><a href="https://attack.mitre.org/mitigations/M1045">Code Signing</a></td> <td>Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing. This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></td> <td>Use application control where appropriate.</td> </tr> </tbody> </table> </div> <p class="content-description"><span class="content-title">T1005 - Data from Local System</span></p> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1057">M1057</a></td> <td><a href="https://attack.mitre.org/mitigations/M1057">Data Loss Prevention</a></td> <td>Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.</td> </tr> </tbody> </table> </div> <p class="content-description"><span class="content-title">T1140 - Deobfuscate/Decode Files or Information</span></p> <p class="content-description"><span class="content-title">This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.</span></p> <p class="content-description"><span class="content-title">T1055 - Process Injection</span></p> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1040">M1040</a></td> <td><a href="https://attack.mitre.org/mitigations/M1040">Behavior Prevention on Endpoint</a></td> <td>Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1026">M1026</a></td> <td><a href="https://attack.mitre.org/mitigations/M1026">Privileged Account Management</a></td> <td>Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.</td> </tr> </tbody> </table> </div> <p class="content-description"><span class="content-title">T1027.001 - Binary Padding</span></p> <p class="content-description"><span class="content-title">This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.</span></p> <p class="content-description"><span class="content-title">T1087 - Account Discovery</span></p> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></td> <td><a href="https://attack.mitre.org/mitigations/M1018">User Account Management</a></td> <td>Manage the creation, modification, use, and permissions associated to user accounts.</td> </tr> </tbody> </table> </div> </div>