A new malware strain known as “FlexibleFerret” has been discovered targeting developers and job seekers as part of an ongoing phishing operation orchestrated by North Korean threat actors. Even with Apple’s recent updates to its XProtect malware detection tool, this new variant has shown the ability to circumvent existing protections, causing heightened concerns about the cybersecurity of macOS systems.
This latest iteration, FlexibleFerret, is part of a wider malware family called “FERRET,” which was first uncovered back in December 2024. The initial emergence of this malware family was linked to the “Contagious Interview” campaign, where unsuspecting victims were tricked into installing malicious software disguised as legitimate applications like virtual meeting tools and browser updates.
In a recent analysis by SentinelLabs, it was revealed that FlexibleFerret employs sophisticated techniques to evade detection. The malware is distributed through a malicious installer package named “versus.pkg,” which contains deceptive elements such as InstallerAlert.app and a counterfeit Zoom binary. Upon installation, the package deploys additional scripts and binaries in concealed locations on infected devices, ensuring persistence and executing its malicious payload.
One of the notable features of FlexibleFerret is its use of authentic-looking Apple Developer signatures to enhance credibility. Although the developer signature associated with the malware has been revoked, threat actors leveraged it to bypass macOS Gatekeeper protections during distribution. The malware also mimics system behaviors to avoid raising suspicions, such as displaying fake error messages to mislead users.
The broader spectrum of threats posed by the “Contagious Interview” campaign and the FERRET malware family, including FlexibleFerret, underscores a concerted effort by North Korean advanced persistent threat (APT) groups. These actors not only target job seekers but also developers utilizing platforms like GitHub. SentinelLabs observed attackers posting fraudulent issues and comments on GitHub to entice developers into downloading infected files, including components of the FERRET malware.
FlexibleFerret also employs tactics seen in other North Korea-linked campaigns, such as utilizing Dropbox APIs for exfiltration and IP resolution services like api.ipify.org for device monitoring. Despite some FERRET components being added to XProtect’s blocklist, the FlexibleFerret variant remains undetected by the latest version of Apple’s security tool.
The discovery of FlexibleFerret highlights the importance of heightened vigilance among macOS users, especially developers. As threat actors evolve their malware delivery methods and develop variants that can evade traditional protections, adherence to security best practices is crucial. This includes utilizing endpoint protection, avoiding untrusted downloads, and actively monitoring for signs of compromise.
Organizations and individuals are advised to stay informed about the latest threat intelligence and employ robust security solutions capable of detecting advanced malware families like FERRET. By remaining proactive and implementing strong security measures, users can better defend against evolving cyber threats.