FlexibleFerret is a multi-stage macOS malware chain that uses staged scripts, social-engineering lures, and a persistent backdoor written in Go to steal credentials and maintain long-term remote access to infected systems.

Attackers associated with the DPRK-linked "Contagious Interview" campaign deliver the malware primarily through fake recruitment or job-assessment workflows that convince targets to run Terminal commands or scripts outside normal macOS protections.

After initial execution, a shell script checks whether the victim's Mac uses Apple silicon or Intel architecture, reconstructs a download path, and retrieves an appropriate next-stage payload, which is unpacked into a temporary directory and launched in the background.

The script establishes persistence by creating a LaunchAgent so the loader runs at every login, then opens a decoy application that imitates Chrome permission prompts and ultimately presents a Chrome-style password window in order to capture the user's credentials. Exfiltration of stolen passwords relies on a Dropbox account: the malware assembles the Dropbox host from small string fragments to hinder detection and uses the legitimate Dropbox upload API, while also querying an external service such as api.ipify.org to record the victim's public IP address.

In the later stage, the loader starts a Go-based backdoor component (for example, a project identified as CDrivers or related binaries in the broader FERRET family) that generates a unique machine identifier and connects to hard-coded command-and-control servers. Through a persistent command loop with error-handling and timed retries, this backdoor can collect system information, upload and download files, execute shell commands, extract Chrome profile data, and automate additional credential theft, effectively giving operators durable, covert control over compromised macOS hosts.

Source: https://www.infosecurity-magazine.com/news/flexibleferret-malware-macos-go/

Commentary

Once viewed as a safer choice, Macs used in organizations now sit squarely in the sights of cybercriminals. macOS adoption continues to grow in corporate environments, especially among developers and executives who often have elevated access to code, credentials and sensitive data, making each compromised Mac a high-value foothold.

Threat actors, including state-linked groups, have responded with a surge of macOS-specific malware that blends social engineering with multi-stage loaders and backdoors rather than relying on traditional exploits.

Campaigns such as the FlexibleFerret job-recruitment scams noted above use fake LinkedIn postings and bogus hiring portals to convince users to run Terminal commands or "updates" that silently install persistent malware capable of stealing passwords, exfiltrating files and providing remote control of the device.

This activity builds on a broader rise in macOS information-stealers, trojanized productivity apps and notarized or signed binaries that can bypass built-in protections and live off the land once inside the environment.

Organizations that rely on Macs should treat them as full-fledged enterprise endpoints, not exceptions. Baseline controls include enforcing least-privilege administration, hardening Terminal and scripting use, and requiring vetted software distribution rather than ad hoc downloads or recruiter-supplied tools.

Security teams should use macOS-aware endpoint protection and logging so they can detect obfuscated scripts, unusual LaunchAgents and unexpected network connections rather than depending solely on default XProtect or Gatekeeper decisions.

User awareness is equally important: staff should be trained to distrust unsolicited job assessments, software "fixes" delivered over chat, and prompts to enter passwords into pop-up windows or cloned browser dialogs. Train staff to report these events immediately so incident response can contain any compromise before it spreads.