SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Cybersecurity
#
Personal Computing Devices

FlexibleFerret malware evades Apple's XProtect updates

Yesterday
Author image
By Kaleah Salmon, Journalist

SentinelLabs has disclosed new research on variants of the FERRET malware linked to North Korea, specifically targeting macOS systems, with the newly discovered forms labelled as "FlexibleFerret."

The presence of FlexibleFerret variants appears to remain unnoticed by Apple's malware defence tool, XProtect, according to the findings by SentinelLabs. The FERRET malware is linked to the "Contagious Interview" campaign, an operation through which individuals are tricked into downloading malicious software under the guise of a job interview process.

Last week, Apple issued an update to its XProtect signatures to intercept several versions of FERRET malware, such as FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. These updates are aimed at the FERRET family, affiliated with the aforementioned Contagious Interview campaign, often requiring targets to download software necessary for virtual meetings. This software is manipulated to install malware surreptitiously.

The malware has been previously identified to execute a damaging shell script, which facilitates the installation of a persistence agent and executable that falsely appears as a Google Chrome update. Components that are now targeted by Apple's updated signatures include a backdoor disguised as an operating system file (com.apple.secd), also referred to as FRIENDLYFERRET, along with the persistence modules known as FROSTYFERRET_UI.

Phil Stokes, a threat researcher at SentinelLabs, underscored the persistence of these malware techniques. "The 'Contagious Interview' campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more 'scatter gun' approaches via social media and code sharing sites like Github."

These new strains of malware, specifically the FlexibleFerret variants, exhibit similarities with indicators from other North Korean operations, such as the Hidden Risk campaign recently revealed by SentinelLabs.

SentinelLabs has stated that in conjunction with other security entities, it continues to monitor and bring these activities to light, with the aim of raising awareness and enhancing protection for users against these cybersecurity threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
BeyondTrust launches AI tool to bolster identity security
Cyware partners with Team Cymru for enhanced threat feeds
Arctic Wolf completes acquisition of Blackberry's Cylance
Bitdefender warns of cyber campaign in Central Asia, Europe
Claroty wins 2025 Best in KLAS for Healthcare IoT security
Top stories
Proofpoint named Governance leader in 2025 Gartner Magic Quadrant
Cyber threats to Microsoft 365 via HTTP client tools surge
Commvault launches secure cloud solution with CIS images
KnowBe4 appoints Wehmeyer as VP of customer success
What you see is usually not what you get with browser extensions