This post is also available in:
עברית (Hebrew)
In late 2024-Early 2025, cybersecurity researchers first identified a North-Korean cyber campaign, which involved a malware family dubbed the “macOS Ferret” family. Apple has recently updated its on-device malware protection tool, XProtect, to block several variants of this malware, but this seems to not have been enough, as researchers have recently found a new variation that is still effective.
This malicious software is suspected to be part of a larger cyber operation known as the “Contagious Interview” campaign, in which North Korean threat actors target job seekers. According to Cybernews, the typical approach involves attackers impersonating recruiters and convincing victims to install malware disguised as software needed for virtual meetings. Once the victim installs the software, they unknowingly allow malware onto their system. Apple’s XProtect update, rolled out two weeks ago, addresses some of these malware variants by blocking key components used in this attack strategy.
However, researchers from cybersecurity firm SentinelOne have discovered newer versions of the malware, dubbed “FlexibleFerret,” which remain undetected by Apple’s updated tool. These fresh samples appear to target a wider range of victims, including software developers, using multiple delivery methods, such as social media platforms and code-sharing sites like GitHub. This broader strategy marks a shift from the previous focus on job-seeking targets to a more generalized campaign aimed at the development community.
SentinelOne’s report highlights that the FERRET family shares some characteristics with other North Korean cyber operations, such as the Hidden Risk campaign, which was detailed in recent research by SentinelLabs. This suggests that the group is continuing to refine its tactics to maximize the effectiveness of its cyberattacks.
While Apple’s XProtect update is an important step in mitigating the threat, experts warn that the evolving nature of these attacks underscores the need for continued vigilance in combating cyber threats.
