Overview

• SentinelLabs’ report catalogs domains, file paths, scripts and binaries used in the NimDoor campaign.
• Attackers employ social engineering through Telegram contacts and Calendly scheduling before pushing a fake Zoom SDK update.
• The multi-stage framework includes an installer for staging, GoogIe LLC for environment data collection, and CoreKitAgent as the main payload.
• CoreKitAgent leverages a kqueue-driven event state machine and custom SIGINT/SIGTERM handlers to reinstall components upon termination or reboot.
• AppleScript and Bash modules exfiltrate Keychain entries, browser data, shell histories and Telegram databases over TLS-encrypted WebSocket channels.