“Contagious Interview” Targets macOS with FlexibleFerret Malware
Contents
THREAT ADVISORY
ATTACK REPORT
Date of Publication
February 6, 2025
Admiralty Code
TA Number
A1
TA2025031
Summary
Active Since: January 2025
Targeted Countries: Worldwide
Malware: FlexibleFerret, FRIENDLYFERRET, FROSTYFERRET_UI, and
MULTI_FROSTYFERRET_CMDCODES
Targeted Industries: Cryptocurrency, Finance, Software Development
Affected Platform: macOS
Campaign Name: Contagious Interview (aka CL-STA-0240)
Attack: The macOS Ferret malware, linked to North Korean threat actors, targets job seekers
and developers through the "Contagious Interview" campaign using fake software installations.
A new variant, FlexibleFerret, evades Apple’s XProtect and gains persistence by masquerading
as legitimate system processes. Attackers are expanding their tactics, using GitHub to distribute
malware, emphasizing the need for enhanced security vigilance.
Campaign Timeline
New npm-based
Malware Variants
Expansion:
BeaverTail,
InvisibleFerret
Cross-Platform,
Obfuscation Enhanced
November
2023
December
2022
March
2023
Contagious
Interview Emerged
Ferret variants
expand, including
FlexibleFerret, to
evade detection
WageMole Connection
Discovered & Campaign
evolves to include fake
video conferencing tools
and broader targeting
THREAT ADVISORY • ATTACK REPORT (Red)
December
2024
November
2024
New Malware
OtterCookie & Ferret
Integration
2|
January
2025
Attack Regions
Powered by Bing
© Australian Bureau of Statistics, GeoNames, Microsoft, Navinfo, Open Places, OpenStreetMap, TomTom, Zenrin
Attack Details
#1
#2
A new wave of macOS malware, attributed to North Korean threat
actors, is actively targeting users through the "Contagious Interview"
campaign. This attack exploits job …
ATTACK REPORT
Date of Publication
February 6, 2025
Admiralty Code
TA Number
A1
TA2025031
Summary
Active Since: January 2025
Targeted Countries: Worldwide
Malware: FlexibleFerret, FRIENDLYFERRET, FROSTYFERRET_UI, and
MULTI_FROSTYFERRET_CMDCODES
Targeted Industries: Cryptocurrency, Finance, Software Development
Affected Platform: macOS
Campaign Name: Contagious Interview (aka CL-STA-0240)
Attack: The macOS Ferret malware, linked to North Korean threat actors, targets job seekers
and developers through the "Contagious Interview" campaign using fake software installations.
A new variant, FlexibleFerret, evades Apple’s XProtect and gains persistence by masquerading
as legitimate system processes. Attackers are expanding their tactics, using GitHub to distribute
malware, emphasizing the need for enhanced security vigilance.
Campaign Timeline
New npm-based
Malware Variants
Expansion:
BeaverTail,
InvisibleFerret
Cross-Platform,
Obfuscation Enhanced
November
2023
December
2022
March
2023
Contagious
Interview Emerged
Ferret variants
expand, including
FlexibleFerret, to
evade detection
WageMole Connection
Discovered & Campaign
evolves to include fake
video conferencing tools
and broader targeting
THREAT ADVISORY • ATTACK REPORT (Red)
December
2024
November
2024
New Malware
OtterCookie & Ferret
Integration
2|
January
2025
Attack Regions
Powered by Bing
© Australian Bureau of Statistics, GeoNames, Microsoft, Navinfo, Open Places, OpenStreetMap, TomTom, Zenrin
Attack Details
#1
#2
A new wave of macOS malware, attributed to North Korean threat
actors, is actively targeting users through the "Contagious Interview"
campaign. This attack exploits job …
IoC
76e3cb7be778f22d207623ce1907c1659f2c8215
17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54
de3f83af6897a124d1e85a65818a80570b33c47c
7da429f6d2cdd8a63b3930074797b990c02dc108
b071fbd9c42ff660e3f240e1921533e40f0067eb
7e07765bf8ee2d0b2233039623016d6dfb610a6d
ccac0f0ba463c414b26ba67b5a3ddaabdef6d371
831cdcde47b4edbe27524085a6706fbfb9526cef
b0caf49884d68f72d2a62aa32d5edf0e79fd9de1
203f7cfbf22b30408591e6148f5978350676268b
3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5
2e51218985afcaa18eadc5775e6b374c78e2d85f
a25dff88aeeaaf9f956446151a9d786495e2c546
ee7a557347a10f74696dc19512ccc5fcfca77bc5
d8245cdf6f51216f29a71f25e70de827186bdf71
1a28013e4343fddf13e5c721f91970e942073b88
e876ba6e23e09206f358dbd3a3642a7fd311bb22
828a323b92b24caa5f5e3eff438db4556d15f215
dba1454fbea1dd917712fbece9d6725244119f83
bd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f
8667078a88dae5471f50473a332f6c80b583d3de
aa172bdccb8c14f53c059c8433c539049b6c2cdd
388ac48764927fa353328104d5a32ad825af51ce
17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54
de3f83af6897a124d1e85a65818a80570b33c47c
7da429f6d2cdd8a63b3930074797b990c02dc108
b071fbd9c42ff660e3f240e1921533e40f0067eb
7e07765bf8ee2d0b2233039623016d6dfb610a6d
ccac0f0ba463c414b26ba67b5a3ddaabdef6d371
831cdcde47b4edbe27524085a6706fbfb9526cef
b0caf49884d68f72d2a62aa32d5edf0e79fd9de1
203f7cfbf22b30408591e6148f5978350676268b
3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5
2e51218985afcaa18eadc5775e6b374c78e2d85f
a25dff88aeeaaf9f956446151a9d786495e2c546
ee7a557347a10f74696dc19512ccc5fcfca77bc5
d8245cdf6f51216f29a71f25e70de827186bdf71
1a28013e4343fddf13e5c721f91970e942073b88
e876ba6e23e09206f358dbd3a3642a7fd311bb22
828a323b92b24caa5f5e3eff438db4556d15f215
dba1454fbea1dd917712fbece9d6725244119f83
bd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f
8667078a88dae5471f50473a332f6c80b583d3de
aa172bdccb8c14f53c059c8433c539049b6c2cdd
388ac48764927fa353328104d5a32ad825af51ce