North Korea’s Malware Circus: Now Featuring Fake Zoom Updates, Nim Code, and a Dash of Stupidity

North Korean hackers are again targeting web3 and crypto employees, this time luring them into installing macOS malware disguised as Zoom updates, according to SentinelOne.

The campaign mimics trusted contacts and schedules phony meetings through Calendly before sending victims an email with a fake Zoom link, which launches a malicious script masquerading as an SDK update.

Executing the script triggers a sophisticated multi-stage attack chain, ultimately deploying malware tracked as “NimDoor,” developed in the obscure and underused Nim programming language.

The malware uses clever persistence tricks like signal-based reactivation and encrypted config files, showcasing techniques never before observed in macOS threats.

Attackers use AppleScript for initial infiltration and backdoor access, while bash scripts exfiltrate sensitive data from Keychain, browsers, and even Telegram.

Two separate Mach-O binaries kick off parallel execution chains—one written in C++ to siphon data, and the other built in Nim to maintain persistence and drop further payloads.

Payloads include the typo-squatting “GoogIe LLC” (yes, that’s an uppercase ‘i’) and “CoreKitAgent,” both running as event-driven apps via the macOS kqueue mechanism.

These binaries establish long-term access by hijacking SIGINT and SIGTERM signals to reinstate core malware components upon termination.

Nim’s bizarre compile-time execution capability allows attackers to intertwine their malware with the language’s runtime logic, making detection a nightmare.

The entire campaign screams overkill, but that’s exactly what happens when cybercriminals have too much time, an affinity for exotic programming languages, and zero chill.