NimDoor is a high-level trojan—more accurately, a stealthy cyber‑espionage framework—that targets macOS systems, especially within Web3 and cryptocurrency environments. Utilizing sophisticated components written in Nim, C++, and AppleScript, this malware focuses on data theft, maintaining persistence, and evading detection.
Overview of Threat
Threat type: Trojan / Backdoor
Detection names: Avast MacOS:Agent‑AQF [Trj]; Combo Cleaner Trojan.Generic.37083384; ESET‑NOD32 OSX/PSW.Agent.EJ; Kaspersky HEUR:Trojan.OSX.Agent.ac; Microsoft Trojan:MacOS/Multiverze
Symptoms of infection: No visible symptoms—designed to stay silent
Damage: Exfiltration of browser data, Keychain credentials, shell history, Telegram databases, loss of privacy and potential monetary theft
Distribution methods: Telegram-based social engineering, deceptive emails with fake Zoom SDK update scripts, Calendly scheduling
Danger level: High
Removal tool: SpyHunter – a trusted anti‑malware tool for macOS (Download here)
Threat Summary
| Feature | Details |
|---|---|
| Threat type | Trojan / Backdoor |
| Detection names | Avast, Combo Cleaner, ESET, Kaspersky, Microsoft |
| Symptoms | None; stealth mode operation |
| Damage | Credential theft, system compromise, financial fraud potential |
| Distribution | Telegram impersonation, Calendly + email, fake Zoom SDK scripts |
| Danger level | High |
| Removal tool | SpyHunter |
How I Got Infected
NimDoor infections start with social-engineering techniques. Attackers impersonate trusted contacts over Telegram and ask victims to schedule a meeting via Calendly. They then send an email containing a Zoom meeting link accompanied by instructions to run a fake “Zoom SDK update” script. Once the user executes this script, a multi-stage infection begins, deploying malware in Temporary directories.
What NimDoor Does
1. Multi‑Stage Binaries & Process Injection
- Installer (Nim-compiled) sets up persistence via LaunchAgents and drops GoogIe LLC and CoreKitAgent.
- C++ binary (“a”) decrypts and injects the trojan1_arm64 payload into a dummy process, enabling stealthy remote control and command execution.
2. Persistence and Self‑Recovery
- Uses a custom signal-based persistence mechanism. When terminated (via SIGINT or SIGTERM), CoreKitAgent relaunches itself and re‑installs its components.
- Employs LaunchAgent (com.google.update.plist) for automatic re‑execution at login.
3. Data Exfiltration
- Runs upl and tlgrm scripts:
- upl collects browser data (Chrome, Brave, Firefox, Edge, Arc), Keychain credentials, and shell histories; compresses and uploads them via HTTP POST.
- tlgrm steals Telegram’s local database and decryption key, uploading them for possible offline decryption.
4. AppleScript Beacon Backdoor
- CoreKitAgent installs a hex‑encoded AppleScript that beacons to attacker servers every 30 seconds and can execute returned scripts via
osascript.
Should You Be Worried?
Yes. NimDoor is a highly advanced, stealthy, and resilient threat:
- Stealth: Almost no visible symptoms.
- Persistence: Survives termination and relaunches automatically.
- Modular Exfiltration: Targets high-value data (cryptocurrency, credentials).
- Advanced Techniques: Includes process injection, encrypted C2, signal handling, scripted backdoor.
Systems in crypto or Web3 industries should treat NimDoor infections as severe security breaches.
Manual Removal of Info-Stealers on macOS
(Recommended for advanced users)
Step 1: Quit Malicious Processes
- Open Activity Monitor (Applications > Utilities).
- Look for unfamiliar processes using a lot of CPU or RAM.
- Select the suspicious process and click the “X” (Force Quit) in the toolbar.
Common process names include agentUpdater, com.apple.system, StealC, VidarAgent, or randomly generated ones.
Step 2: Remove Suspicious Login Items
- Open System Settings (Ventura or newer) or System Preferences (Monterey and older).
- Go to:
- Ventura and later:
Users & Groups > Login Items - Monterey and earlier:
Users & Groups → Login Items
- Ventura and later:
- Remove any unrecognized or unwanted entries using the minus (–) button.
Step 3: Delete Malicious Applications
- Go to Finder > Applications.
- Sort by Date Added to spot recently installed suspicious apps.
- Drag questionable apps to the Trash, then Empty Trash.
Step 4: Remove Malware-Related Files and Launch Items
- In Finder, click Go > Go to Folder.
- Check and clean the following directories:
javascriptCopyEdit~/Library/LaunchAgents/
~/Library/Application Support/
~/Library/Preferences/
~/Library/LaunchDaemons/
Also check these system-level paths:
swiftCopyEdit/Library/LaunchAgents/
/Library/LaunchDaemons/
/Library/Application Support/
- Look for files with strange names or those referencing fake apps or random strings (e.g.,
com.update.agent.plist,vidarupdater,stealerwatcher.plist) and delete them.
Step 5: Remove Rogue Browser Extensions
Safari
- Open Safari > Preferences > Extensions
- Uninstall suspicious extensions
Chrome
- Go to Chrome > Settings > Extensions
- Remove anything unfamiliar
Firefox
- Open Firefox > Add-ons > Extensions
- Remove suspicious entries
Step 6: Reset Browsers to Default
Safari:
- Safari > Preferences > Privacy > Manage Website Data > Remove All
Chrome:
- Chrome > Settings > Reset and clean up > Restore settings to their original defaults
Firefox:
- Help > More Troubleshooting Information > Refresh Firefox
Step 7: Clear Keychain and Update Passwords
- Open Keychain Access (Applications > Utilities).
- Search for stored login credentials related to compromised accounts.
- Remove suspicious entries.
- Change passwords for all major services (Apple ID, email, banking, cloud storage, etc.).
- Enable two-factor authentication (2FA) where available.
Automatic Removal Using SpyHunter for Mac (RECOMMENDED)
Scan Your Your Device for NimDoor Malware (Mac)
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
(Recommended for all users seeking fast, secure removal)
SpyHunter for Mac is a professional anti-malware solution designed to detect and eliminate Mac-specific threats, including info-stealers, adware, browser hijackers, and trojans.
Step 1: Download SpyHunter for Mac
Click the link below to download the latest version of SpyHunter (Download SpyHunter for Mac)
Need installation help? Follow this guide: SpyHunter Download Instructions
Step 2: Install and Launch SpyHunter
- Open the downloaded SpyHunter-Mac.dmg file.
- Drag SpyHunter to your Applications folder.
- Open SpyHunter and grant necessary permissions when prompted.
Step 3: Scan Your Mac
- Launch SpyHunter.
- Click Start Scan.
- Let it complete the system scan to detect all malware traces.
- Click Fix Threats to remove detected infections.
Step 4: Activate Real-Time Protection
- Open SpyHunter’s Settings and turn on real-time malware monitoring to block future threats.
Prevention Tips to Stay Safe on macOS
- Avoid downloading cracked software or torrents
- Only install apps from the Mac App Store or official vendor websites
- Keep macOS and all apps updated regularly
- Be cautious with email attachments and fake software updates
- Use strong, unique passwords and enable 2FA
- Consider a comprehensive anti-malware tool like SpyHunter for Mac
Conclusion
NimDoor is not your average malware—it’s a sophisticated threat that uses multiple layers of defense evasion, persistence, and data theft. For anyone operating a macOS device in sensitive or financial environments, the risk is extremely high. Swift removal with trusted anti‑malware like SpyHunter is recommended, followed by a full security audit.
Scan Your Your Device for NimDoor Malware (Mac)
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
