{
	"id": "dbe30e9d-a6fd-4be2-bebb-5ef6bba1aacb",
	"created_at": "2026-04-06T00:17:48.763188Z",
	"updated_at": "2026-04-10T03:28:28.735742Z",
	"deleted_at": null,
	"sha1_hash": "5677a64d57edb5e161544c62f84108a6975cf159",
	"title": "macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6237269,
	"plain_text": "macOS FlexibleFerret | Further Variants of DPRK Malware\r\nFamily Unearthed\r\nBy Phil Stokes\r\nPublished: 2025-02-03 · Archived: 2026-04-05 22:58:13 UTC\r\nLast week Apple pushed a signature update to its on-device malware tool XProtect to block several variants of\r\nwhat it called the macOS Ferret family: FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and\r\nMULTI_FROSTYFERRET_CMDCODES. This DPRK-attributed malware family was first described by\r\nresearchers in December and further in early January and identified as part of the North Korean Contagious\r\nInterview campaign, in which threat actors lure targets to install malware through the job interview process.\r\nIn this post, we briefly recap previous research for context, including Apple’s contribution through its malware\r\nsignatures, before describing newly discovered samples that we have labelled ‘FlexibleFerret’ and which remain\r\nundetected by XProtect at the time of writing.\r\nWe provide a high level overview of the malware along with a list of indicators for threat hunters and defenders.\r\nSentinelOne customers are protected from all known variants of the Ferret family.\r\nA FERRET Family Background\r\nAs noted above, previous researchers have described several malware components associated with the Contagious\r\nInterview campaign. Targets are typically asked to communicate with an interviewer through a link that throws an\r\nerror message and a request to install or update some required piece of software such as VCam or CameraAccess\r\nfor virtual meetings.\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 1 of 8\n\nIn previous reports, the observed malware ran a malicious shell script and installed a persistence agent and\r\nexecutable masquerading as a Google Chrome update. An excellent post published on January 5th digs into the\r\ndetails and source code of the shell loader, ffmpeg.sh , and the Go backdoor and stealer called, appropriately\r\nenough, ChromeUpdate .\r\nApple’s signature update last week targets some of the components of this malware campaign, including a\r\nbackdoor that masquerades as an operating system file with the name com.apple.secd (aka\r\nFRIENDLYFERRET) along with the ChromeUpdate and CameraAccess persistence modules (aka\r\nFROSTYFERRET_UI).\r\nPerhaps unsurprisingly, indicators present in the FERRET family of malware overlap with indicators seen in other\r\nDPRK campaigns, including the Hidden Risk campaign described recently by SentinelLABS.\r\nSome common DPRK malware artifacts also seen in the Stage 2 ‘growth’ malware from Hidden\r\nRisk\r\nAnother commonality between FERRET and other recent DPRK campaigns is the use of Dropbox for exfiltration\r\nand the use of api.ipify.org to resolve the host’s public IP.\r\n21 22  3.__TEXT.__cstring    ascii  https:\r\n39 40  3.__TEXT.__cstring    ascii  https:\r\n45 46  3.__TEXT.__cstring    ascii  https:\r\nFlexibleFerret | An Expanded Malware Family Set\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 2 of 8\n\nPrior to Apple pushing XProtect version 5286, SentinelLABS had been tracking the malware identified by\r\nprevious researchers and analysing a variant of the ChromeUpdate samples with the identifier Mac-Installer.InstallerAlert . Unlike the previous samples, this malware was signed with a valid Apple Developer\r\nsignature ( VFYPGAKSLY ) and Team ID ( 58CD8AD5Z4 ). Pivoting off this led us to another previously unseen\r\ninfection vector and set of related samples.\r\nThe dropper is an Apple Installer package called versus.pkg (388ac48764927fa353328104d5a32ad825af51ce),\r\ncontaining two applications, InstallerAlert.app and versus.app , and a standalone binary called zoom , as\r\nwell as a postinstall.sh script in the parent folder.\r\nFile contents of the FlexibleFerret dropper, versus.pkg\r\nAfter grabbing elevated privileges, the installer package uses the postinstall script to drop and execute several\r\ncomponents in /var/tmp/ . The postinstall script is a bash script that also logs its progress to a file in the separate\r\n/private/tmp/ folder called postinstall.log .\r\n#!/bin/bash\r\necho \"$(date): Running post-installation script...\" \u003e\u003e /tmp/postinstall.log\r\nif [ -f /var/tmp/zoom ]; then\r\necho \"$(date): Zoom file exists, executing...\" \u003e\u003e /tmp/postinstall.log\r\n/var/tmp/zoom \u003e\u003e /tmp/postinstall.log 2\u003e\u00261 \u0026\r\nelse\r\necho \"$(date): Zoom file not found\" \u003e\u003e /tmp/postinstall.log\r\nfi\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 3 of 8\n\nsleep 2\r\nif [ -d \"/var/tmp/InstallerAlert.app\" ]; then\r\necho \"$(date): Opening InstallerAlert.app...\" \u003e\u003e /tmp/postinstall.log\r\nopen \"/var/tmp/InstallerAlert.app\" \u003e\u003e /tmp/postinstall.log 2\u003e\u00261\r\nelse\r\necho \"$(date): InstallerAlert.app not found\" \u003e\u003e /tmp/postinstall.log\r\nfi\r\nsleep 2\r\necho \"$(date): Post-installation script completed.\" \u003e\u003e /tmp/postinstall.log\r\nexit 0\r\nFlexibleFerret components dropped in the hosts /var/tmp folder/\r\nThe fake zoom binary (ee7a557347a10f74696dc19512ccc5fcfca77bc5) reaches out to the domain\r\nzoom.callservice[.]us . (*Note: this is not a legitimate Zoom domain).\r\nMeanwhile, the same script executes the InstallerAlert.app which in turn calls /tmp/versus.app . The\r\nprimary function is to trick the user into thinking the malware is a legitimate application that failed to run by\r\nthrowing an alert dialog with the error message “This file is damaged and cannot be opened”, a message that\r\nmimics the genuine warning message typically thrown by Gatekeeper.\r\nEmbedded strings in versus.app binary to deceive victims that the malware did not execute\r\nIn the background, however, the malware installs a persistence item in the User’s Library LaunchAgents folder\r\nwith the label com.zoom.plist (*Note: the genuine Zoom Launch services file is in fact\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 4 of 8\n\n[~]/Library/LaunchAgents/us.zoom.ZoomDaemon.plist ).\r\nStrings in the zoom binary for setting up persistence\r\nThe LaunchAgent targets a further executable at the path /private/var/tmp/logd , again masquerading as a\r\nlegitimate part of the OS (logd is part of the unified logging system but does not have a component at that path).\r\nAt the time of writing, we were not able to obtain a copy of this file, which appears to be received from the\r\ncurrently non-responding C2.\r\nExecution of FlexibleFerret noisily leaves a log in /private/tmp/\r\nFlexibleFerret | InstallerAlert and Ties to ChromeUpdate\r\nWhat ties these components to Apple’s recent FERRET rules and the samples previously reported is the Mac-Installer.InstallerAlert binary inside the InstallerAlert.app . This binary is a functional match for the\r\nChromeUpdate binary and bears an 86% similarity to it. It contains both strings and functions that are identical\r\nonly to ChromeUpdate and other files identified by Apple’s signature as malware. Importantly, however, neither\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 5 of 8\n\nInstallerAlert nor any of the other binaries found in the malicious versus.pkg are recognized as malware by\r\nXProtect.\r\nFurther, unlike ChromeUpdate , InstallerAlert is signed with a now-revoked Developer signature and Team\r\nID. Pivoting off this signature allowed us to find several other samples of FlexibleFerret that are recognized as\r\nmalware by a number of security vendors including SentinelOne.\r\n‘Contagious Interview’ Campaign Actively Targeting GitHub Developers\r\nAs noted earlier, the FlexibleFerret malware is a component of the ‘Contagious Interview’ campaign that began at\r\nleast as far back as November 2023. SentinelLABS has further observed threat actors continuing attempts to\r\ncompromise developers with the ffmpeg.sh installer script by opening fake issues on legitimate developers’\r\nrepositories. In an example in late December, one ‘commenter’ left instructions leading to the download of\r\nFERRET family droppers.\r\nA threat actor tries to trick GitHub users into downloading FERRET malware\r\nThis suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the\r\nspecific targeting of job seekers to developers more generally.\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 6 of 8\n\nConclusion\r\nThe ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active\r\ncampaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as\r\nrequired. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community,\r\nboth in targeted efforts and what appears to be more ‘scatter gun’ approaches via social media and code sharing\r\nsites like GitHub.\r\nAlong with industry peers, SentinelLABS continues to track and publicize this activity to help raise awareness and\r\nprotect users. SentinelOne customers are protected from known malicious components used in this campaign by\r\nthe Singularity platform.\r\nTo learn more about how SentinelOne can protect your macOS devices, contact us for more information or request\r\na free demo.\r\nIndicators of Compromise\r\nFrostyFerret ZIPS\r\n203f7cfbf22b30408591e6148f5978350676268b VCam_ARM64.zip\r\na25dff88aeeaaf9f956446151a9d786495e2c546 CameraAccess.zip\r\naa172bdccb8c14f53c059c8433c539049b6c2cdd VCam_x86_64.zip\r\nXProtect_FrostyFerret_UI\r\n7da429f6d2cdd8a63b3930074797b990c02dc108\r\n828a323b92b24caa5f5e3eff438db4556d15f215\r\n831cdcde47b4edbe27524085a6706fbfb9526cef\r\n8667078a88dae5471f50473a332f6c80b583d3de\r\ndba1454fbea1dd917712fbece9d6725244119f83\r\ne876ba6e23e09206f358dbd3a3642a7fd311bb22\r\nXProtect_FriendlyFerret_SECD\r\n17e3906f6c4c97b6f5d10e0e0e7f2a2e2c97ca54\r\n2e51218985afcaa18eadc5775e6b374c78e2d85f\r\n7e07765bf8ee2d0b2233039623016d6dfb610a6d\r\nde3f83af6897a124d1e85a65818a80570b33c47c\r\nFlexibleFerret Installer\r\n388ac48764927fa353328104d5a32ad825af51ce  versus.pkg\r\nFlexibleFerret Mach-Os\r\n1a28013e4343fddf13e5c721f91970e942073b88 InstallerAlert\r\n3e16c6489bac4ac2d76c555eb1c263cd7e92c9a5 InstallerAlert\r\n76e3cb7be778f22d207623ce1907c1659f2c8215 InstallerAlert\r\nb0caf49884d68f72d2a62aa32d5edf0e79fd9de1 InstallerAlert\r\nbd73a1c03c24a8cdd744d8a513ae8d2ddfa2de5f InstallerAlert\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 7 of 8\n\nccac0f0ba463c414b26ba67b5a3ddaabdef6d371 InstallerAlert\r\nd8245cdf6f51216f29a71f25e70de827186bdf71 InstallerAlert\r\nb071fbd9c42ff660e3f240e1921533e40f0067eb Mac-Installer.AlertMsg\r\nee7a557347a10f74696dc19512ccc5fcfca77bc5 zoom\r\nFlexibleFerret Signer\r\nName: Liseth Alejandra Trujillo Garcia\r\nTeam Identifier: 58CD8AD5Z4\r\nDev Identifier: VFYPGAKSLY\r\nFlexibleFerret Bundle Ids\r\nMac-Installer.AlertMsg\r\nMac-Installer.InstallerAlert\r\nFlexibleFerret DNS Domain\r\nzoom.callservice[.]us\r\nSource: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nhttps://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/"
	],
	"report_names": [
		"macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434668,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5677a64d57edb5e161544c62f84108a6975cf159.pdf",
		"text": "https://archive.orkl.eu/5677a64d57edb5e161544c62f84108a6975cf159.txt",
		"img": "https://archive.orkl.eu/5677a64d57edb5e161544c62f84108a6975cf159.jpg"
	}
}