Pulse Detail — Threat Intelligence

PULSE NAME

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

WHITE DPRK AlienVault 2025-07-04 Modified: 2025-07-04

IOCs

MEDIUM VOLUME

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1555.001 T1082 T1059.002 T1005 T1140 T1055 T1027.001 T1087 T1083 T1074 T1552.001 T1204 T1057 T1566 T1059.004 T1571 T1027 T1095 T1543.001 T1071.001 T1574.002

MALWARE FAMILIES

NimDoor

Indicators of Compromise (32)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	13c07ccb4117bfba9921e45c39b10339	—	2025-07-04
FileHash-SHA1	023a15ac687e2d2e187d03e9976a89ef5f6c1617	—	2025-07-04
FileHash-SHA1	027d4020f2dd1eb473636bc112a84f0a90b6651c	—	2025-07-04
FileHash-SHA1	0602a5b8f089f957eeda51f81ac0f9ad4e336b87	—	2025-07-04
FileHash-SHA1	06566eabf54caafe36ebe94430d392b9cf3426ba	—	2025-07-04
FileHash-SHA1	08af4c21cd0a165695c756b6fda37016197b01e7	—	2025-07-04
FileHash-SHA1	16a6b0023ba3fde15bd0bba1b17a18bfa00a8f59	—	2025-07-04
FileHash-SHA1	1a5392102d57e9ea4dd33d3b7181d66b4d08d01d	—	2025-07-04
FileHash-SHA1	1e76f497051829fa804e72b9d14f44da5a531df8	—	2025-07-04
FileHash-SHA1	2c0177b302c4643c49dd7016530a4749298d964c	—	2025-07-04
FileHash-SHA1	2d746dda85805c79b5f6ea376f97d9b2f547da5d	—	2025-07-04
FileHash-SHA1	2ed2edec8ccc44292410042c730c190027b87930	—	2025-07-04
FileHash-SHA1	3168e996cb20bd7b4208d0864e962a4b70c5a0e7	—	2025-07-04
FileHash-SHA1	4743d5202dbe565721d75f7fb1eca43266a652d4	—	2025-07-04
FileHash-SHA1	5b16e9d6e92be2124ba496bf82d38fb35681c7ad	—	2025-07-04
FileHash-SHA1	79f37e0b728de2c5a4bfe8fcf292941d54e121b8	—	2025-07-04
FileHash-SHA1	7c04225a62b953e1268653f637b569a3b2eb06f8	—	2025-07-04
FileHash-SHA1	945fcd3e08854a081c04c06eeb95ad6e0d9cdc19	—	2025-07-04
FileHash-SHA1	a25c06e8545666d6d2a88c8da300cf3383149d5a	—	2025-07-04
FileHash-SHA1	bb72ca0e19a95c48a9ee4fd658958a0ae2af44b6	—	2025-07-04
FileHash-SHA1	c9540dee9bdb28894332c5a74f696b4f94e4680c	—	2025-07-04
FileHash-SHA1	e227e2e4a6ffb7280dfe7618be20514823d3e4f5	—	2025-07-04
FileHash-SHA1	ee3795f6418fc0cacbe884a8eb803498c2b5776f	—	2025-07-04
FileHash-SHA256	469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f	—	2025-07-04
domain	dataupload.store	—	2025-07-04
domain	firstfromsep.online	—	2025-07-04
domain	safeup.store	—	2025-07-04
domain	writeup.live	—	2025-07-04
hostname	support.us05web-zoom.cloud	—	2025-07-04
hostname	support.us05web-zoom.forum	—	2025-07-04
hostname	support.us05web-zoom.pro	—	2025-07-04
hostname	support.us06web-zoom.online	—	2025-07-04

References (1)

↗ https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware