Cybercriminals are successfully targeting Apple users through a sophisticated social engineering scheme that tricks victims into running harmful commands on their computers.<\/p>\n
The threat, called FlexibleFerret, is attributed to North Korean operators and represents a continuing evolution of the Contagious Interview campaign that has been active throughout 2025.<\/p>\n
The malware primarily spreads through fake job recruitment websites that promise employment opportunities but ultimately deliver credential-stealing backdoors and system access to attackers.<\/p>\n
![\"LinkedIn](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgd00Nzaj3FYKLfpSAtLhH7_cIfZ6XNADfpIDpJDBP64wMiIEWmoetjLS9gruqRfRjqv3v6VNxX9tfC9MKqvfZiip3wkelCRraZ2JJg6uK0sBzTOf9HEV4A0GlwjvhMBZ4-zySqRKBbbdy9-xPCv-OBBQyqDc6LBKQ4WOXaz5HaLdvI4GxJYapQ341ItYo\/s16000\/LinkedIn%2520post%2520highlighting%2520recruitment%2520scams%2520%28Source%2520-%2520Jamf%29.webp?ssl=1\")
The attack begins innocuously with job seekers visiting realistic-looking hiring assessment websites like evaluza.com and proficiencycert.com.<\/p>\n
Victims complete fake job<\/a> assessments branded with names like \u201cBlockchain Capital Operations Manager Hiring Assessment,\u201d providing personal details and even recording video introductions.<\/p>\n After completing these stages, applicants receive a critical instruction to run a specific Terminal command, which the attackers claim is needed to fix camera or microphone access issues.<\/p>\n Jamf security analysts identified<\/a> this new variant after discovering in-the-wild detections linked to the script named macpatch.sh.<\/p>\n The researchers found JavaScript files on fraudulent recruitment<\/a> sites designed to build and execute curl commands that download malicious payloads directly to victims\u2019 computers.<\/p>\n The infection mechanism employs a multi-stage delivery process that remains hidden from users. When the initial curl command executes, it downloads a shell script that determines whether the victim\u2019s Mac uses ARM64 or Intel architecture, then fetches the appropriate stage-two payload.<\/p>\n The script creates working directories in temporary locations, establishes persistence<\/a> through LaunchAgents that automatically launch the malware at login, and displays a convincing fake Chrome application that mimics a legitimate password prompt.<\/p>\n This decoy application captures whatever credentials users enter and sends them to a Dropbox account controlled by the attackers.<\/p>\n The third stage activates when a bundled Golang backdoor<\/a> runs, establishing communication with a command-and-control server.<\/p>\n This sophisticated component supports multiple operations including system information collection, file upload and download capabilities, command execution, Chrome profile theft, and automated credential harvesting.<\/p>\n The backdoor maintains persistence through LaunchAgent entries and includes error-handling mechanisms that reset the malware if temporary failures occur.<\/p>\n Organizations should educate employees to view unsolicited job assessment requests and Terminal-based fix instructions with extreme suspicion.<\/p>\n Any recruitment communication asking users to execute system commands represents a significant red flag and should be reported immediately to security teams.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Tricks macOS Users to Execute Command in Terminal to Deliver FlexibleFerret Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection mechanism<\/strong><\/h2>\n
![\"Left](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiBSlE75M9puGnoRtizu7a5lo41B08VbUGv8bbFbTMkwiwYVsZ5nVo02C6dfAAlYT_nQ8OA7GF_dNieJh-PKqhQ1094we42vGPFiQYrDOIxIb-d9WHqClWEjpJm4pHE1Y9Fn9C9tSY6u3fNCsMouBDxceC9BYJUSLIv9sAkJUxDGnPmjnMkrH6eoeICr60\/s16000\/Left%2520-%2520fake%2520Chrome%2520camera%2520access%2520prompt%2C%2520Right%2520-%2520Chrome-style%2520password%2520prompt%2520%28Source%2520-%2520Jamf%29.webp?ssl=1\")