Particle.news

Download on the App Store

SentinelLabs Publishes Comprehensive IOCs for NimDoor macOS Malware

It provides full indicators of compromise to help security teams update macOS defenses.

Overview

  • SentinelLabs’ report catalogs domains, file paths, scripts and binaries used in the NimDoor campaign.
  • Attackers employ social engineering through Telegram contacts and Calendly scheduling before pushing a fake Zoom SDK update.
  • The multi-stage framework includes an installer for staging, GoogIe LLC for environment data collection, and CoreKitAgent as the main payload.
  • CoreKitAgent leverages a kqueue-driven event state machine and custom SIGINT/SIGTERM handlers to reinstall components upon termination or reboot.
  • AppleScript and Bash modules exfiltrate Keychain entries, browser data, shell histories and Telegram databases over TLS-encrypted WebSocket channels.