FlexibleFerret: macOS Malware Deploys in Fake Job Scams
Contents
FlexibleFerret malware continues to strike
Beware of fake job assessments that ask you to run Terminal commands — they could be a social engineering scheme to deploy the FlexibleFerret malware and steal your credentials. Jamf Threat Labs analyzes their latest discovery.
Author: Ferdous Saljooki
Introduction
Early in 2025, a SentinelOne blog post brought to light a malware family known as FlexibleFerret. This malware family is attributed to DPRK-aligned operators and tied to fake recruitment lures associated with the Contagious Interview operation. In this operation, individuals are led through staged hiring tasks that result in the execution of malicious instructions.
Earlier this month, Validin released a blog highlighting the details of an attack that they identified as a new variant of the Contagious Interview campaign. Jamf Threat Labs has been tracking similar activity stemming from in-the-wild detections that began with the execution of a script called /var/tmp/macpatch.sh
. This script matched indicators of the previously used FlexibleFerret …
Beware of fake job assessments that ask you to run Terminal commands — they could be a social engineering scheme to deploy the FlexibleFerret malware and steal your credentials. Jamf Threat Labs analyzes their latest discovery.
Author: Ferdous Saljooki
Introduction
Early in 2025, a SentinelOne blog post brought to light a malware family known as FlexibleFerret. This malware family is attributed to DPRK-aligned operators and tied to fake recruitment lures associated with the Contagious Interview operation. In this operation, individuals are led through staged hiring tasks that result in the execution of malicious instructions.
Earlier this month, Validin released a blog highlighting the details of an attack that they identified as a new variant of the Contagious Interview campaign. Jamf Threat Labs has been tracking similar activity stemming from in-the-wild detections that began with the execution of a script called /var/tmp/macpatch.sh
. This script matched indicators of the previously used FlexibleFerret …
IoC
https://app.zynoracreative.com/updrv8/drv-Intel.patch
https://app.zynoracreative.com/updrv8/drvMac-as7t.patch
http://proficiencycert.com
https://app.zynoracreative.com/updrv8/drv-Arm64.patch
http://95.169.180.140:8080
http://proficiencycert.com/apply/o5s3x9e7i4w1mwie3h6j3ygf
http://evaluza.com
95.169.180.140
https://app.zynoracreative.com/updrv8/drvMac-as7t.patch
http://proficiencycert.com
https://app.zynoracreative.com/updrv8/drv-Arm64.patch
http://95.169.180.140:8080
http://proficiencycert.com/apply/o5s3x9e7i4w1mwie3h6j3ygf
http://evaluza.com
95.169.180.140