Recent intelligence reveals a significant escalation in cyber activities by North Korean state-sponsored hacking groups, specifically targeting Web3 and cryptocurrency-related businesses. These sophisticated threat actors are employing novel tactics, including the use of malware written in the unconventional Nim programming language and a refined social engineering technique known as “ClickFix,” all as part of their ongoing “BabyShark” campaign.
Cybersecurity researchers have highlighted a new Nim-based malware, dubbed “NimDoor,” which is being deployed in these attacks. Nim, known for its performance and portability across operating systems like macOS, Windows, and Linux, allows the attackers to craft highly efficient and evasive malicious binaries. NimDoor leverages unusual techniques, such as process injection and remote communications via TLS-encrypted WebSockets (wss), making detection challenging. Furthermore, it exhibits a novel persistence mechanism that exploits signal handlers, ensuring the malware reinstalls itself even after termination or system reboots. Initial access for these NimDoor attacks often involves elaborate social engineering, with victims being lured through fake Zoom meeting invites and supposed “SDK update scripts.”
Concurrently, the North Korean Kimsuky group, a well-known APT, is continuing its “BabyShark” campaign with an evolved “ClickFix” social engineering tactic. Originally designed to trick users into clicking a “fix it” button to resolve a non-existent error, the updated ClickFix now prompts victims to copy and paste authentication codes to access seemingly secure documents. This new variant, observed since January 2025, has been used in spear-phishing attempts targeting national security experts and others, often masquerading as interview requests or official meeting documents. The malicious process typically involves opening a decoy document while, in the background, a Visual Basic Script (VBS) or PowerShell command establishes persistence and harvests system information.
The “BabyShark” campaign has a history of swiftly adopting new attack techniques, integrating them with script-based mechanisms to distribute various remote access tools and information stealers. This latest evolution, combining the evasive Nim malware with the highly deceptive ClickFix tactic, underscores the persistent and adaptable nature of North Korean cyber threats. The relentless pursuit of cryptocurrency and sensitive data by these groups poses a significant risk to individuals and organizations within the Web3 ecosystem and beyond.
