Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Flexible-Ferret malware targets Mac users by doding XProtect measures

This detection-resistant variant was identified by researchers at SentinelOne, who noted its ability to bypass the recent XProtect signature update intended to block Ferret infections

byKerem Gülen
February 5, 2025
in News, Cybersecurity

The macOS Ferret family, known for being used by North Korean APTs for cyber espionage, has introduced a new variant named Flexible-Ferret that is currently evading detection measures implemented by Apple.

Flexible-Ferret malware variant evades Apple’s XProtect measures

This detection-resistant variant was identified by researchers at SentinelOne, who noted its ability to bypass the recent XProtect signature update intended to block Ferret infections. Unlike its predecessors, Flexible-Ferret carries a legitimate Apple Developer signature and Team ID, which adds a layer of deception to its operation.

The Ferret malware family is associated with the “Contagious Interview” campaign, where threat actors trick victims into installing malware by posing as job interviewers. This campaign reportedly began in November 2023 and has involved multiple malware variants such as FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES—all of which were covered in Apple’s most recent XProtect update.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

Flexible-Ferret evades XProtect

SentinelOne’s analysis revealed that under XProtect version 5286, the new Flexible-Ferret variant went undetected. Through ongoing examination, they discovered a ChromeUpdate variant known as Mac-Installer.InstallerAlert, which is also signed with a valid Apple Developer ID and Team ID, thereby maintaining its connection to the existing FERRET family.

flexible-ferret-malware-targets-mac-users-by-doding-xprotect-measures
Image: SentinelOne

The malware dropper, termed versus.pkg, contains two applications—InstallerAlert.app and versus.app—and a standalone binary named “zoom.” When executed, the “zoom” binary connects to a suspicious domain unrelated to Zoom services and elevates system privileges. Simultaneously, InstallerAlert.app generates an error message that mimics macOS Gatekeeper warnings while deploying a persistence agent.

Despite sharing 86% code similarity with the ChromeUpdate, the Mac-Installer was not flagged by XProtect until it was linked to a revoked Developer ID, which allowed researchers to uncover further Flexible-Ferret samples.

According to SentinelOne, the “Contagious Interview” campaign exemplifies ongoing, active threat actor maneuvers where adversaries adapt signed applications into functionally similar unsigned versions to evade security measures. This includes diverse tactics aimed at a broad range of targets within the developer community, facilitated through social media and code-sharing sites such as GitHub.

flexible-ferret-malware-targets-mac-users-by-doding-xprotect-measures
Image: SentinelOne

Researchers pointed out that threat actor groups focused on macOS include prominent entities from North Korea, China, and Russia. Boris Cipot, a senior security engineer at Black Duck, emphasized the continuous evolution of techniques to bypass security defenses.

Apple’s recent signature update targeted several components of this malware family, including a backdoor disguised as an operating system file named com.apple.secd, in addition to the ChromeUpdate and CameraAccess persistence modules. Notably, components in the FERRET malware family exhibit commonalities with others associated with DPRK campaigns, including file sharing through Dropbox and IP resolution via api.ipify.org.


Featured image credit: Wesson Wang/Unsplash

Tags: Cybersecuritymac

Related Posts

Z.AI GLM-4.6 boosts context window to 200K tokens

Z.AI GLM-4.6 boosts context window to 200K tokens

October 2, 2025
OpenAI releases Sora 2, iOS app with real-world inserts

OpenAI releases Sora 2, iOS app with real-world inserts

October 2, 2025
Bitrig: SwiftUI apps from voice using Apple Intelligence

Bitrig: SwiftUI apps from voice using Apple Intelligence

October 2, 2025
Bengio warns hyper-AI preservation goals threaten humanity

Bengio warns hyper-AI preservation goals threaten humanity

October 2, 2025
Apple TV 4K to feature A17 Pro chip and Apple Intelligence

Apple TV 4K to feature A17 Pro chip and Apple Intelligence

October 2, 2025
Instagram tests Reels-first home tab in India

Instagram tests Reels-first home tab in India

October 2, 2025

LATEST NEWS

Z.AI GLM-4.6 boosts context window to 200K tokens

OpenAI releases Sora 2, iOS app with real-world inserts

Bitrig: SwiftUI apps from voice using Apple Intelligence

Bengio warns hyper-AI preservation goals threaten humanity

Apple TV 4K to feature A17 Pro chip and Apple Intelligence

Instagram tests Reels-first home tab in India

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.