North Korean threat actors are deploying novel techniques to infect crypto businesses with macOS malware designed to steal credentials, according to a new report by SentinelLabs.
The researchers provided an analysis on a series of attacks launched by Democratic People’s Republic of Korea (DPRK) threat actors against Web3 and Crypto organizations during April 2025.
North Korea-affiliated attackers have been attributed to a large volume of major cryptocurrency heists in recent years, as part of efforts to generate revenue for the Pyongyang regime.
In Febrary 2025, the notorious DPRK-linked Lazarus Group stole $1.4bn worth of crypto from the ByBit exchange.
NimDoor Malware Deployed
In the new analysis, SentinelLabs researchers observed the attackers using social engineering techniques typical of DPRK actors to achieve initial access.
After gaining access, the attackers then deployed novel tactics, techniques and procedures (TTPs) to achieve persistence and launch the Nim-based malware, known as NimDoor.
The Nim programming language has become increasingly popular among macOS malware authors, partly due to their unfamiliarity to analysts.
The TTPs used by the attackers include an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++ and Nim.
This approach makes detection harder for defenders.
“North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains,” the researchers wrote.
“However, Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level,” SentinelLabs researchers said.
The use of wss for communication and signal interrupts is designed to defeat security measures. wss is the TLS-encrypted version of the WebSocket protocol.
The researchers urged analysts to invest in efforts to understand lesser-known programming languages, such as Nim, and how they can be leveraged to defend against these types of attacks.
The Initial Nim Attack Chain
The blog, published on July 2, observed that the April attacks began with a social engineering technique synonymous with DPRK actors – impersonation of a trusted contact over Telegram and an invitation to schedule a meeting via Calendly.
The target was subsequently sent an email containing a Zoom meeting link and instructions to run a so-called “Zoom SDK update script”.
The domain hosted a malicious AppleScript file, which was heavily padded to obfuscate its true function.
The script ended with three lines of malicious code that that retrieve and execute a second-stage script from a command-and-control (C2) server.
The follow-on script downloaded an HTML file which includes a legitimate Zoom redirect link. Upon execution, this file launches the attack’s core logic.
Multi-Stage Infection Process
The researchers observed a complex multistage deployment process for the NimDoor malware, which encompasses a range of scripts and binaries written in various languages.
This starts with the download of two Mach-O binaries, which set off two independent execution chains.
The first is a C++-compiled universal architecture Mach-O executable, which aims to fetch two Bash scripts used for data exfiltration across different browsers.
The second execution chain starts with an installer binary, which is a universal Mach-O executable compiled from Nim source code. This executable is responsible for achieving long-term access and recovery for the threat actor.
This drops two other binaries onto the victim’s system, called GoogIe LLC and CoreKitAgent.
The misspelling of GoogIe LLC (uppercase I rather than lowercase l), is intended to help the malware blend in and avoid suspicion.
GoogIe sets up a macOS LaunchAgent, which re-launches GoogIe LLC at login and stores authentication keys for later stages.
CoreKitAgent, the most technicaly complex of the binaries analyzed, takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.
These are signals users can send to terminate processes. However, when CoreKitAgent catches these signals triggers a reinstallation routine that re-deploys GoogIe LLC.
CoreKitAgent also writes the LaunchAgent for persistence and a copy of itself as the Trojan.
“This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions,” the researchers noted.
Finally, an embedded AppleScript in a stripped version of CoreKitAgent is decoded and launched.
Upon execution, the script beacons to C2 infrastructure every 30 seconds, and attempts to post data obtained from listing all running processes on the victim machine.