macOS Malware Deploys in Fake Job Scams
Essential information
- Published
- 26/11/2025 07:34
- Modified
- 21/12/2025 18:04
- Tags
- 2025-11-26 credential-theft fake job scams flexibleferret golang backdoor macos multi-stage attack social engineering
- Related entities
- 21 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 7 others
Description
A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript files on fake recruitment websites, prompting users to execute commands that download and run malicious shell scripts. These scripts then fetch and execute a Golang backdoor, which establishes persistence and communicates with a command and control server. The malware can collect system information, upload and download files, execute commands, and steal Chrome data. The attackers use Dropbox as an exfiltration channel for captured credentials.