Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Flexible-Ferret malware targets Mac users by doding XProtect measures

This detection-resistant variant was identified by researchers at SentinelOne, who noted its ability to bypass the recent XProtect signature update intended to block Ferret infections

byKerem Gülen
February 5, 2025
in News, Cybersecurity

The macOS Ferret family, known for being used by North Korean APTs for cyber espionage, has introduced a new variant named Flexible-Ferret that is currently evading detection measures implemented by Apple.

Flexible-Ferret malware variant evades Apple’s XProtect measures

This detection-resistant variant was identified by researchers at SentinelOne, who noted its ability to bypass the recent XProtect signature update intended to block Ferret infections. Unlike its predecessors, Flexible-Ferret carries a legitimate Apple Developer signature and Team ID, which adds a layer of deception to its operation.

The Ferret malware family is associated with the “Contagious Interview” campaign, where threat actors trick victims into installing malware by posing as job interviewers. This campaign reportedly began in November 2023 and has involved multiple malware variants such as FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES—all of which were covered in Apple’s most recent XProtect update.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

Flexible-Ferret evades XProtect

SentinelOne’s analysis revealed that under XProtect version 5286, the new Flexible-Ferret variant went undetected. Through ongoing examination, they discovered a ChromeUpdate variant known as Mac-Installer.InstallerAlert, which is also signed with a valid Apple Developer ID and Team ID, thereby maintaining its connection to the existing FERRET family.

flexible-ferret-malware-targets-mac-users-by-doding-xprotect-measures
Image: SentinelOne

The malware dropper, termed versus.pkg, contains two applications—InstallerAlert.app and versus.app—and a standalone binary named “zoom.” When executed, the “zoom” binary connects to a suspicious domain unrelated to Zoom services and elevates system privileges. Simultaneously, InstallerAlert.app generates an error message that mimics macOS Gatekeeper warnings while deploying a persistence agent.

Despite sharing 86% code similarity with the ChromeUpdate, the Mac-Installer was not flagged by XProtect until it was linked to a revoked Developer ID, which allowed researchers to uncover further Flexible-Ferret samples.

According to SentinelOne, the “Contagious Interview” campaign exemplifies ongoing, active threat actor maneuvers where adversaries adapt signed applications into functionally similar unsigned versions to evade security measures. This includes diverse tactics aimed at a broad range of targets within the developer community, facilitated through social media and code-sharing sites such as GitHub.

flexible-ferret-malware-targets-mac-users-by-doding-xprotect-measures
Image: SentinelOne

Researchers pointed out that threat actor groups focused on macOS include prominent entities from North Korea, China, and Russia. Boris Cipot, a senior security engineer at Black Duck, emphasized the continuous evolution of techniques to bypass security defenses.

Apple’s recent signature update targeted several components of this malware family, including a backdoor disguised as an operating system file named com.apple.secd, in addition to the ChromeUpdate and CameraAccess persistence modules. Notably, components in the FERRET malware family exhibit commonalities with others associated with DPRK campaigns, including file sharing through Dropbox and IP resolution via api.ipify.org.


Featured image credit: Wesson Wang/Unsplash

Tags: Cybersecuritymac

Related Posts

Is ChatGPT down again? Reports indicate ongoing outage

Is ChatGPT down again? Reports indicate ongoing outage

October 24, 2025
Path of Exile: Keepers of the Flame will be the Breach 2.0!

Path of Exile: Keepers of the Flame will be the Breach 2.0!

October 24, 2025
Google Meet now lets you move people in and out of meetings like a lobby

Google Meet now lets you move people in and out of meetings like a lobby

October 24, 2025
Sam Altman: AI will cause “strange or scary moments”

Sam Altman: AI will cause “strange or scary moments”

October 24, 2025
Anthropic gives Claude a real memory and lets users edit it directly

Anthropic gives Claude a real memory and lets users edit it directly

October 24, 2025
Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

October 24, 2025

LATEST NEWS

Is ChatGPT down again? Reports indicate ongoing outage

Path of Exile: Keepers of the Flame will be the Breach 2.0!

Google Meet now lets you move people in and out of meetings like a lobby

Sam Altman: AI will cause “strange or scary moments”

Anthropic gives Claude a real memory and lets users edit it directly

Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.