Thursday, May 8, 2025
HomeBrowserFlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

FlexibleFerret Malware Attacking macOS Users, Evading XProtect Detections

Published on

SIEM as a Service

Follow Us on Google News

A new macOS malware variant, dubbed “FlexibleFerret,” has been identified targeting developers and job seekers as part of an ongoing North Korean phishing campaign.

Despite Apple’s recent signature updates to its XProtect malware detection tool, this latest variant demonstrates the ability to bypass protections, raising new concerns about macOS cybersecurity.

FlexibleFerret belongs to a broader family of malware known as “FERRET,” initially uncovered in December 2024.

- Advertisement - Google News

This malware family was attributed to the “Contagious Interview” campaign, where victims were lured through fake job interviews to install malicious software disguised as legitimate applications like virtual meeting tools or browser updates.

Technical Breakdown of FlexibleFerret

Recent investigations by SentinelLabs revealed that the FlexibleFerret variant leverages sophisticated techniques to evade detection.

Delivered via a malicious installer package, titled “versus.pkg,” the dropper includes deceptive components such as InstallerAlert.app and a fake Zoom binary.

FlexibleFerret Malware
File contents of the FlexibleFerret dropper, versus.pkg

The package installs additional scripts and binaries in concealed locations on infected devices, including /var/tmp/ and /private/tmp/, where it achieves persistence and executes its payload.

One of the standout features of the malware is its use of legitimate-looking Apple Developer signatures for credibility.

Although the developer signature linked to FlexibleFerret has since been revoked, threat actors exploited it to bypass macOS Gatekeeper protections during distribution.

The malware mimics system behaviors to avoid arousing suspicion. For instance, one of its executables, InstallerAlert, throws a fake macOS error message, “This file is damaged and cannot be opened,” giving users the impression that the application failed to execute.

In the background, however, the malware establishes persistence mechanisms, such as planting a malicious LaunchAgent file disguised as a legitimate Zoom service, targeting /private/var/tmp/logd for its payload operations.

A Broader Threat Spectrum

The “Contagious Interview” campaign and the FERRET malware family, including FlexibleFerret, reflect a well-coordinated effort by North Korean advanced persistent threat (APT) groups.

These groups target not only job seekers but also developers using repositories like GitHub.

FlexibleFerret Malware
A threat actor tries to trick Github users into downloading FERRET malware

SentinelLabs observed attackers posting fake issues and comments to lure developers into downloading infected files, including components of the FERRET malware.

FlexibleFerret also employs common tactics seen in other North Korea-linked campaigns, such as the use of Dropbox APIs for exfiltration and IP resolution services like api.ipify.org to monitor infected devices.

While Apple has added some FERRET components to XProtect’s blocklist, the FlexibleFerret variant remains undetected by the latest version of the tool.

The emergence of FlexibleFerret underscores the need for heightened vigilance among macOS users, particularly developers.

As attackers expand their malware delivery methods and develop variants capable of evading traditional protections, security best practices including using endpoint protection, avoiding untrusted downloads, and monitoring for indicators of compromise are critical.

Organizations and individuals are encouraged to stay updated with the latest threat intelligence and to employ robust security solutions capable of detecting advanced malware families like FERRET.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...