North Korean hackers use false job interviews on os to build FERRET trojan.

Feb 04, 2025Ravie LakshmananMalware / Cryptocurrency

In a fictitious job interview method, North Korean threat actors behind the Contagious Interview campaign have been spotted delivering a collection of Apple mac malware strains dubbed FERRET.

In a new report, SentinelOne researchers Phil Stokes and Tom Hegel that “targets are usually asked to speak with an interviewer through a link that displays an error message and a request to install or update some essential software such as VCam or CameraAccess for online meetings.”

Communicable Interview, which was first discovered in late 2023, is a consistent effort by the hacking team to distribute malware to potential victims using fictitious npm packages and proprietary apps masquerading as videoconferencing software. It’s even tracked as DeceptiveDevelopment and DEV#POPPER.

These harm chains are designed to cut a JavaScript-based malware known as Beaver Neck, which, besides harvesting sensitive information from web sites and blockchain pockets, is capable of delivering a Python backdoor named InvisibleFerret.

Chinese cybersecurity firm NTT Security Holdings revealed in December 2024 that JavaScript malware is also configured to retrieve and kill , another malware that is also being used.

The FERRET community of malware, which was first discovered around the turn of 2024, suggests that the threat actors are constantly developing strategies to escape detection.

In order to resolve a problem with accessing the camera and microphone through the web browser, clients are also being tricked into imitating and running a destructive demand on their Apple mac systems using the Terminal game.

The attacks start when the attackers approach the targets on LinkedIn by posing as recruiters and urging them to complete a video assessment, according to security researcher Taylor Monahan, who uses the username @tayvano_. The end goal is to install a that runs commands on the host and drains the victim’s MetaMask Wallet.

FRIENDLYFERRET and FROSTYFERRET_UI are two terms used to describe some of the components that the malware uses. SentinelOne reported that it has found a second set of FlexibleFerret artifacts that, using a LaunchAgent, helps to establish persistence on the infected macOS system.

It’s also engineered to download an unspecified payload from a command-and-control ( C2 ) server, which is no longer responsive.

Additionally, it has been reported that the FERRET malware is being spread by creating fake GitHub repositories, again demonstrating a shift in how their attack strategies are used.

This suggests that the threat actors are content to expand the ways in which they distribute the malware beyond the specific targeting of job seekers to developers more broadly, according to the researchers.

The information comes days after supply chain security firm Socket revealed a malicious npm package known as postcss-optimizer that contained the BeaverTail malware. As of writing, the library is still accessible for download from the npm registry.

” By impersonating the legitimate postcss library, which has over 16 billion downloads, the threat actor aims to infect developers ‘ systems with credential-stealing and data-exfiltration capabilities across Windows, macOS, and Linux systems”, security researchers Kirill Boychenko and Peter van der Zee .

The North Korean-aligned APT37 ( also known as ScarCruft ) threat actor also made the of a new campaign that used spear-phishing to distribute booby-trapped documents to other targets via group chats from the compromised user’s computer using the K Messenger platform.

Found this article interesting? Follow us on and Twitter to access more exclusive content we post.

Leave a Comment