SentinelLabs Publishes Comprehensive IOCs for NimDoor macOS Malware
It provides full indicators of compromise to help security teams update macOS defenses.
Overview
- SentinelLabs’ report catalogs domains, file paths, scripts and binaries used in the NimDoor campaign.
- Attackers employ social engineering through Telegram contacts and Calendly scheduling before pushing a fake Zoom SDK update.
- The multi-stage framework includes an installer for staging, GoogIe LLC for environment data collection, and CoreKitAgent as the main payload.
- CoreKitAgent leverages a kqueue-driven event state machine and custom SIGINT/SIGTERM handlers to reinstall components upon termination or reboot.
- AppleScript and Bash modules exfiltrate Keychain entries, browser data, shell histories and Telegram databases over TLS-encrypted WebSocket channels.