North Korean Hackers Target Cryptocurrency Businesses With Nim Malware

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

The attack chains involve social engineering tactics, where targets are approached on messaging platforms like Telegram to schedule a Zoom meeting via Calendly. The target is then sent an email containing a supposed Zoom meeting link along with instructions to run a Zoom SDK update script. This step results in the execution of an AppleScript that acts as a delivery vehicle for a second-stage script from a remote server. The newly downloaded script subsequently unpacks ZIP archives containing binaries that are responsible for setting up persistence and launching information-stealing bash scripts.

At the heart of the infection sequence is a C++ loader called InjectWithDyldArm64, which decrypts two embedded binaries named Target and trojan1_arm64. InjectWithDyldArm64 launches Target in a suspended state and injects into it the trojan1_arm64's binary's code, after which the execution of the suspended process is resumed. The malware proceeds to establish communication with a remote server and fetch commands that allow it to gather system information, run arbitrary commands, and change or set the current working directory. The results of the execution are sent back to the server.

Trojan1_arm64 is capable of downloading two more payloads, which come fitted with capabilities to harvest credentials from web browsers like Arc, Brave, Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as extract data from the Telegram application. Also dropped as part of the attacks is a collection of Nim-based executables that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence by installing custom handlers for SIGINT and SIGTERM. This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions.

The malware also launches an AppleScript that beacons out every 30 seconds to one of two hard-coded command-and-control (C2) servers, while also exfiltrating a snapshot of the list of running processes and executing additional scripts sent by the server. The findings demonstrate how North Korean threat actors are increasingly training their sights on macOS systems, weaponizing AppleScript to act as a post-exploitation backdoor to meet their data-gathering goals.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target cryptocurrency and Web3-related businesses. These threat actors, with ties to North Korea, have been using malware written in the Nim programming language, which is a departure from their previous methods. The malware, collectively referred to as NimDoor, utilizes a process injection technique and remote communications via the TLS-encrypted WebSocket protocol, which is unusual for macOS malware. This malware also employs a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to ensure that the malware remains active even if the system is rebooted or the malware is terminated.

North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains. However, Nim's unique ability to execute functions during compile time allows attackers to blend complex behavior into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.

North Korean hackers have been observed employing new tactics to target crypt