North Korean Cyber Espionage: Contagious Interview Campaign Deploys FERRET Malware on macOS

North Korean cyber operatives have launched a sophisticated cyber espionage campaign dubbed Contagious Interview, which specifically targets macOS users. This campaign, initially uncovered in late 2023, employs a deceptive job interview process to infect victims with FERRET malware strains.

The attackers pose as recruiters on LinkedIn, urging job seekers to install seemingly legitimate applications such as VCam or CameraAccess to proceed with a video interview. These applications serve as delivery mechanisms for various malware payloads, enabling cybercriminals to infiltrate macOS systems stealthily.

Unraveling the FERRET Malware Family

The FERRET malware family is an advanced set of cyber tools designed to establish persistence, steal sensitive data, and execute remote commands on infected systems.

Threat Details	Description
Threat Type	Cyber Espionage, Malware Infection
Encrypted File Extension	Not applicable (Not ransomware)
Ransom Note File Name	Not applicable
Associated Email Addresses	None identified
Detection Names	Varies by security vendor; includes “Backdoor.Mac.FERRET”, “Trojan:JS/BeaverTail”, “OSX.FlexibleFerret”
Symptoms of Infection	Camera and microphone malfunctions, unauthorized system access, cryptocurrency wallet drainage, system slowdown
Damage	Data theft, credential harvesting, persistent access to compromised devices
Distribution Methods	Fake job interviews, deceptive npm packages, fraudulent GitHub issues
Danger Level	High

The Role of BeaverTail and InvisibleFerret

The BeaverTail malware, a JavaScript-based threat, is often the initial payload delivered in these attacks. It is designed to extract sensitive data from browsers and cryptocurrency wallets. Once installed, BeaverTail facilitates the deployment of InvisibleFerret, a Python-based backdoor that enables cybercriminals to gain deeper access to compromised systems.

OtterCookie: A Layer of Additional Harm

In December 2024, Japanese cybersecurity researchers discovered OtterCookie, another JavaScript malware variant. This component enables attackers to execute additional harmful payloads, enhancing the overall sophistication of the Contagious Interview campaign.

Evasion Tactics: ClickFix-Style Deception

Researchers have identified a ClickFix-style deception technique, wherein users are tricked into manually copying and executing an unsafe command in macOS Terminal. This method bypasses standard security protections, making detection more difficult.

Exploiting Job Seekers Through LinkedIn

Threat actors leverage LinkedIn to target unsuspecting job seekers. They pose as recruiters and request that candidates undergo a “video assessment,” requiring the installation of a Golang-based backdoor. This malware is designed to siphon funds from MetaMask wallets and provide remote control over infected systems.

Breakdown of FERRET Malware Components

FERRET malware comprises multiple components, each serving a distinct purpose:

• FROSTYFERRET_UI – The initial payload masquerading as ChromeUpdate or CameraAccess applications.
• FRIENDLYFERRET_SECD – A Go-based secondary backdoor, also linked to previous attacks on cryptocurrency businesses.
• MULTI_FROSTYFERRET_CMDCODES – A Go configuration file supporting second-stage backdoor functionality.

Establishing Persistence with FlexibleFerret

Another variant of the FERRET malware family, FlexibleFerret, focuses on persistence mechanisms within macOS. It leverages LaunchAgent to maintain a foothold within infected systems. This malware variant is delivered through an installer package named InstallerAlert, mimicking FROSTYFERRET_UI’s functionality.

Expanding Beyond Job Seekers

While initial attacks targeted job seekers, new evidence suggests FERRET malware is being distributed via fake issues in GitHub repositories. This expansion indicates that developers and IT professionals are also at risk, necessitating broader cybersecurity awareness.

Removal Guide

Step 1: Boot Mac into Safe Mode

1. Shut down your Mac.
2. Restart while holding the Shift key.
3. Release Shift when you see the Apple logo.

Step 2: Uninstall Malicious Applications

1. Open Finder → Go to Applications.
2. Locate suspicious applications (e.g., VCam, CameraAccess).
3. Move them to Trash and empty Trash.

Step 3: Remove Launch Agents

1. Open Finder → Go to ~/Library/LaunchAgents.
2. Search for suspicious .plist files.
3. Move them to Trash.

Step 4: Scan and Remove Malware with SpyHunter

1. Download SpyHunter for Mac.
2. Install the software and launch it.
3. Perform a full system scan.
4. Click Fix Threats to remove detected malware.

Step 5: Clear Browser Data

1. Open Safari/Chrome.
2. Navigate to Preferences → Privacy.
3. Click Manage Website Data → Remove All.

Preventive Measures

To avoid falling victim to similar cyber threats, follow these preventive strategies:

1. Verify Job Offers – Cross-check recruiters and companies before engaging in online interviews.
2. Avoid Downloading Unknown Applications – Do not install software from untrusted sources.
3. Enable macOS Gatekeeper and XProtect – These built-in security features help block unverified applications.
4. Use a Password Manager – Protect your credentials from phishing attacks.
5. Keep Software Updated – Regularly update macOS and security software.
6. Enable Two-Factor Authentication (2FA) – Adds an extra layer of security.
7. Use Reputable Security Software – Install trusted anti-malware solutions like SpyHunter to detect and remove threats.

By following these steps and preventive measures, users can safeguard their systems against North Korean cyber threats and avoid falling victim to the Contagious Interview campaign.