North Korean cybercriminals behind the Contagious Interview campaign have been caught deploying a sophisticated Apple macOS malware family, dubbed FERRET, under the guise of job interview processes.
How the Attack Works
According to SentinelOne researchers Phil Stokes and Tom Hegel, attackers initiate contact with victims via LinkedIn, pretending to be recruiters. They then persuade targets to engage in a video interview, where they are directed to install or update fake software like VCam or CameraAccess for virtual meetings. This leads to the download and execution of malicious software.
First discovered in late 2023, Contagious Interview is part of a larger social engineering effort known as DeceptiveDevelopment (DEV#POPPER). The attackers use fake npm packages and native videoconferencing apps to inject malware into victims' systems.
The FERRET Malware Family
This attack chain primarily delivers BeaverTail, a JavaScript-based malware that extracts sensitive data from web browsers and cryptocurrency wallets. It also drops a Python backdoor called InvisibleFerret for further system exploitation.
In December 2024, NTT Security Holdings uncovered that BeaverTail can also deploy an additional malware strain named OtterCookie.
The recent discovery of FERRET malware indicates that North Korean hackers are continuously refining their attack strategies to evade detection. One notable tactic involves a ClickFix-style social engineering trick, prompting users to execute malicious Terminal commands on macOS under the pretense of fixing camera or microphone access issues.
FERRET Malware Components and Variants
Researchers have identified multiple components within the FERRET malware family:
FROSTYFERRET_UI – The first-stage malware distributed via fake apps like ChromeUpdate and CameraAccess.
FRIENDLYFERRET_SECD – A Go-based second-stage backdoor, masquerading as "com.apple.secd", previously observed in attacks on cryptocurrency businesses.
MULTI_FROSTYFERRET_CMDCODES – A Go configuration file managing the second-stage malware’s execution.
FlexibleFerret – A persistence mechanism using LaunchAgent to ensure the malware survives system reboots.
While FlexibleFerret is delivered via a package named InstallerAlert, it remains unclear how attackers lure victims into installing it. However, evidence suggests that the malware is being distributed through fake issues on legitimate GitHub repositories, expanding the attackers’ reach beyond job seekers to developers.
Fake npm Packages and Supply Chain Attacks
Adding to the severity of the situation, researchers from Socket have detected a malicious npm package called postcss-optimizer containing the BeaverTail malware. By impersonating the widely-used postcss library (which has over 16 billion downloads), the attackers aim to infect Windows, macOS, and Linux systems, enabling credential theft and data exfiltration.
This discovery follows another campaign by North Korea-linked APT37 (ScarCruft), which involves spear-phishing attacks with booby-trapped documents designed to distribute RokRAT malware via the K Messenger platform.
Conclusion
North Korean threat actors continue to leverage social engineering, supply chain attacks, and macOS malware to target developers, cryptocurrency holders, and job seekers. Users should remain vigilant against unsolicited job offers, unknown software downloads, and suspicious npm packages to mitigate the risk of infection.
Stay Updated on the Latest Cyber Threats
For more cybersecurity insights, follow our blog for real-time updates on the latest malware campaigns, threat intelligence, and cybersecurity trends.