North Korean threat actors are actively targeting Web3 and cryptocurrency platforms with a sophisticated, newly discovered malware strain known as CoreKitAgent. CoreKitAgent, developed using the Nim programming language, presents expert-level methods. It uses anti-virtual machine (VM) and sandbox countermeasures and uses complex state machine control flow and uses AppleScript for command and control (C2) communication. This malware represents an important uptick in the sophistication of threats we face. It illustrates the increasing sophistication and targeting of North Korean cyber operations. Security researchers have CoreKitAgent as the most technically complex of the four Nim binaries seen in this campaign. This finding reflects a highly developed capability for setting up a crafty and enduring foothold on hacked machines.
This malware is more than a greed-driven intrusion to steal data. While it serves as a helpful indicator and a guardrail, it doubles as a backdoor that introduces a critical risk for enterprises operating in the Web3 and cryptocurrency industries. Since Nim is a relatively uncommon programming language for malware, it can often be more challenging to detect and analyze malicious activity developed with Nim. This decision puts a larger burden on threat actors, forcing them to work with more stealth. The discovery of CoreKitAgent serves to remind that greater awareness and proactive security initiatives are critically important across these high-value industries.
Anti-VM and Sandbox Evasion Techniques
CoreKitAgent employs various evasion techniques to avoid detection and analysis. It goes the extra mile by having a purposeful sleep schedule created to foil virtual machine and sandbox testing environments. The _sleepAsync__user95startup95main_u73 function sleeps using the operating system’s mach_absolute_time and mach_timebase_info. It uses spinlocks to create an asynchronous sleep period of ten minutes.
Instead of just sleeping execution for ten minutes, CoreKitAgent sets a wake-up time with a global dispatcher. The malware can then continue to run the main event loop. This complicates detection and analysis considerably considering the automated testing environments it must operate within. This nuanced, gadgety step demonstrates a concrete desire not to raise undue alarm. It’s an important guard against all forms of nefariousness in the early days of implementation. By using asynchronous sleep, we allow the rest of the program to continue functioning without interruption. This design has the effect of making the malware more resistant to service interruptions.
With Case 7 triggered, the malware then sleeps until the sleep timer completes. This represents a specific, targeted approach to slowing its destructive activities. By introducing this delay, CoreKitAgent intends to avoid quick-duration analysis windows often employed in sandboxes and other virtualized environments. This underscores the malware’s sophisticated design, as well as the attacker’s knowledge of defender operational security.
AppleScript-Based Command and Control
For example, CoreKitAgent sends all communication with its command and control (C2) server using AppleScript. It uses a special way of creating identification and supports HTTP headers handling. The malware uses AppleScript to get the current Unix timestamp via the date command. Next, it generates a new ID based on that timestamp. This ID is then output and included into the corresponding HTTP header string. It gives the C2 server the ability to monitor and control every compromised machine with precision.
That included an embedded AppleScript, which served as a beacon, notifying the C2 server that the infected system was online. Function a acts as a backdoor, since it allows any arbitrary command to be executed. The C2 server sends crafted responses which are executed by the run script command. This change allows attackers to assume complete control over any system they can compromise. This functionality essentially provides backdoor access to the machine, enabling a broad range of malicious actions, such as data exfiltration, installation of additional malware, and system misconfiguration.
Attackers can use AppleScript as a general-purpose tool to control infected systems. This accessibility makes it a more dangerous asset for their exploitative profits. The malware contains an embedded .ses script. Understanding this script would help shed further light on how it works and how it communicates with I/O hardware. This reliance on scripting languages allows for dynamic modification of the malware's behavior, making it more adaptable to different environments and target profiles.
Table-Driven State Machine
CoreKitAgent's control flow is managed by a table-driven state machine, a sophisticated technique that enhances the malware's complexity and makes analysis more challenging. The execution state of the system is then stored in memory. It then refreshes this state with a lookup table explicitly written in the __const section of the binary. This out-instruction lookup table determines the flow of execution. It takes into account the overall context and feedback, opening the door to intricate and fluid behavior.
The malware’s control flow is governed by a 10-case switch statement, written as a table-driven state machine. This switch statement runs different functions based on the current state. This design makes it easy for the malware to do lots of different activities in an organized and systematic manner. A state machine only obscures the analysis of malware behavior. A static code analyzer has a difficult time understanding the control flow through the code just by looking at the code itself.
This design choice meshes well with a clear design philosophy to obscure what the malware does and shut down reverse engineering as much as possible. The one million plus entry hard-coded lookup table obfuscates the malware’s logic. As a consequence, security researchers are hard pressed to detect its nefarious functionality. The table-driven, event-driven nature of the approach makes it easy for attackers to modify the malware’s behavior. They can achieve this simply by changing what’s in the lookup table – not by changing the actual core code itself.
Malware Versions and Distribution
Two different versions of CoreKitAgent have been identified: a stripped version and an unstripped version with an ad hoc signature. In early April 2025, a team of researchers found the unstripped variant of CoreKitAgent in the wild. In the meantime, the stripped version resurfaced from South Korea as soon as October 2024. Or they’re using different builds of the malware for targeted attacks. Or they just might be hitting very different geographic areas.
An ad hoc name signature on the unstripped version indicates that it was probably used for testing or a testbed deployment. Ultimately, macOS’s security mechanisms would not trust it by default. This naked version could have been employed in broader national pushes. Its smaller size makes it somewhat easier to hide. The variations can be indicative of different stages in development or different levels of sophistication in the targeting.
The upload location of the stripped version from South Korea suggests that the attackers may be operating from or through this region. This kind of information can be an invaluable bolt-on for law enforcement agencies. It protects them and security researchers’ ability to track the source of the malware. The different versions of CoreKitAgent highlight the dynamic nature of the threat and the need for continuous monitoring and analysis to stay ahead of the attackers.
