CoreKitAgent
CoreKitAgent is a Nim-compiled macOS malware component used in DPRK-linked operations targeting Web3, cryptocurrency, and related tech organizations. Reporting places it within the broader NimDoor / DownTroy v2 intrusion chain and associates the activity with North Korean threat actors, including reporting linked to BlueNoroff/Lazarus in related campaign coverage. It is deployed after social-engineering lures delivered via Telegram, Calendly, and fake Zoom or Teams meeting workflows that trick victims into running a malicious AppleScript "SDK update." In observed chains, Nim-based binaries including installer and a deceptive loader named "GoogIe LLC" are dropped to disk, with CoreKitAgent serving as a persistence and launch component.
CoreKitAgent reads hidden configuration data written by the GoogIe LLC loader and writes a LaunchAgent plist named ~/Library/LaunchAgents/com.google.update.plist to establish persistence. The LaunchAgent uses the GoogIe LLC binary as its program argument and stores a CLIENT_AUTH_KEY derived from the configuration. CoreKitAgent monitors for user attempts to terminate the malware and overrides SIGINT and SIGTERM handlers so that termination triggers persistence deployment: it writes the LaunchAgent, a copy of GoogIe LLC, and a copy of itself to disk and sets executable permissions. It uses macOS kqueue and an asynchronous Nim state machine, and includes a 10-minute asynchronous sleep routine assessed as likely anti-VM or sandbox evasion.
CoreKitAgent also decodes an embedded AppleScript, writes it to ~/.ses, and launches it via osascript. That AppleScript beacons every 30 seconds to hard-coded C2 infrastructure, including writeup[.]live and safeup[.]store, collects a process listing from the victim machine, and executes server-supplied responses via AppleScript run script, functioning as a backdoor. Related reporting states CoreKitAgent is used as a dropper or launchpad for Nimcore loader and AppleScript-based DownTroy/NimDoor payloads. Associated campaign infrastructure and related components include spoofed Zoom-themed domains such as support.us05web-zoom[.]pro, support.us05web-zoom[.]forum, support.us05web-zoom[.]cloud, and support.us06web-zoom[.]online. Observed related payloads in the same campaign stole data from browsers, macOS Keychain, shell history, and Telegram, and exfiltrated data to https://dataupload[.]store/uploadfiles. CoreKitAgent has been observed in both stripped unsigned and unstripped ad hoc signed forms; telemetry cited in the reporting noted a stripped sample uploaded from South Korea in October 2024 and an unstripped variant observed in the wild in early April 2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The researchers detail how NimDoor deploys two key binaries: a loader with the misspelled name GoogIe LLC (using an uppercase ‘i’ rather than lowercase ‘L’) and a trojan called CoreKitAgent.
DownTroy v2, which uses a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor)...
DownTroy v2, which uses a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor)...
Also dropped as part of the attacks is a collection of Nim-based executable that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
2 techniques
Persistence
When the LaunchAgent is activated by a user login or reboot, GoogIe LLC is launched, which in turn calls CoreKitAgent and the rest of the payload logic.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted... When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan.
Privilege Escalation
2 techniques
Privilege Escalation
When the LaunchAgent is activated by a user login or reboot, GoogIe LLC is launched, which in turn calls CoreKitAgent and the rest of the payload logic.
A novel persistence mechanism takes advantage of SIGINT/SIGTERM signal handlers to install persistence when the malware is terminated or the system rebooted... When triggered, CoreKitAgent catches these signals and writes the LaunchAgent for persistence, a copy of GoogIe LLC as the loader, and a copy of itself as the trojan.
Stealth
2 techniques
Stealth
Discovery
3 techniques
Discovery
On execution, the script beacons out every 30 seconds to one of the two hardcoded C2s, chosen at random, and attempts to post data obtained from listing all running processes on the victim machine.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Dropper used in the DownTroy v2 chain to launch a loader (Nimcore), which then runs AppleScript-based DownTroy/NimDoor to retrieve additional scripts from an external server.
A macOS trojan/backdoor component in the NimDoor chain that uses a novel signal-based persistence approach: it waits for termination/reboot and then leverages termination signals to write out copies of itself, the loader, and a LaunchAgent for persistence. It also runs a hex-encoded AppleScript to beacon to hardcoded C2 and execute scripts returned by the server.
A Nim-compiled NimDoor component that manages persistence, uses signal handlers for resilient installation, contains an asynchronous state machine, and deploys an AppleScript beacon/backdoor that polls C2 every 30 seconds and executes returned commands.
A Nim-based component in the NimDoor toolset that monitors for termination attempts and helps ensure persistence/resilience by triggering deployment of core components when defenders/users try to kill the malware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.