惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
Project Zero
Project Zero
K
Kaspersky official blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
Y
Y Combinator Blog
Recorded Future
Recorded Future
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
H
Help Net Security
S
Schneier on Security
P
Palo Alto Networks Blog
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
SecWiki News
SecWiki News
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Hacker News
The Hacker News
C
Check Point Blog
L
LangChain Blog
腾讯CDC
小众软件
小众软件
T
Tenable Blog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
About on SuperTechFans
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
雷峰网
雷峰网
美团技术团队
D
DataBreaches.Net
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Full Disclosure
博客园_首页

Jamf Blog

Jamf Nation Live 2026 London and Berlin: AI Governance and DDM 5 Mac Security Gaps Hiding in Your Apple Fleet Classroom Management Tools and Student Learning Outcomes Mobile forensics, minutes not weeks Turn Security Signals into Action with Jamf and Amplifier Security Strengthen Jamf Zero Trust Network Access With Dedicated Internet Gateway Jamf AI Assistant Now Available: Smarter Apple Device Management and Security MacBook Neo: The New Enterprise Entry Point for Mac at Scale Boost Employee Productivity in the Enterprise with Jamf Platform Authentication and Declarative Device Management: The Future of Apple Management Automation for Small IT Teams: Save Time Managing Macs What a lower-cost MacBook Neo means for education Where Apple Meets the Enterprise: Jamf’s Interoperability Advantage for Secure, Automated Access Control Simplify access, secure your apps: why SSO matters for K-12 Inside Predator’s kernel engine RSA Conference 2026 recap: AI security, enterprise mobile security and the shift to connected security platforms ClickFix technique uses Script Editor instead of Terminal on macOS Why Mac configurations fall out of sync — and how to fix them G2 names Jamf in its 2026 Best Software Awards across three categories Empowering Mac users: How Jamf Self Service+ reduces tier one support overhead for enterprise IT teams Privacy by default, flexible when required: introducing limited privacy in Jamf Safe Internet From arrival to discharge: how iOS is reimagining the healthcare journey Federated Identity Management for K-12 Education Identity and access management in K-12 schools OpenClaw: the helpful AI that could quietly become your biggest insider threat Get Started with Scripting Series: macOS Terminal, Scripting and Jamf Pro API Managing Apple devices at Black Hat Europe with Jamf Scaling device deployments without scaling your IT team How Predator spyware defeats iOS recording indicators Making Mac work in a PC world The hidden costs of manual device provisioning Threat Actors Expand Abuse of Microsoft Visual Studio Code Mac management and security for lean IT teams Automated certificate management and device security integration The hidden risks in your mobile apps “Mac in 2026: Secure by Design Meets the Enterprise” webinar Jamf named a Unified Endpoint Management leader…again! Jamf recognized as a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Management Tools Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware 2026: what to expect in tech Retail runs on iOS: Let’s take a tour through Jamf’s booth at NRF 2026 From ClickFix to code signed: the quiet shift of MacSync Stealer malware Jamf After Dark: How WorkBrew solves Homebrew security and compliance for Mac developers Managing emerging technologies: A playbook for modern IT leaders How schools can maximize learning using Apple devices and Jamf Practical intelligence: why it matters for enterprise teams Jamf Connect Q&A Jamf After Dark October recap: platform progress, identity shifts and security insights Powering managed virtualization and Windows app delivery in Mac-first enterprises Managing Jamf configuration with Terraform and GitOps workflows Back to security basics: phishing Introducing the Jamf 140 Course HIMSS 2026 recap Introducing Beacon by Jamf Threat Labs GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer Android and Jamf: manage and secure your mobile fleet Social engineering in K-12 for beginners Jamf Nation Live 2026: Hands-On Apple Expertise Across Six Cities Developer Mode-as-a-Defense: How iOS Security Features Deter Nation-State Spyware Stop chasing passwords: how school IT can reduce reset tickets Bring Your Own Key (BYOK): Take Control of Your Encryption in Jamf Cloud DarkSword iOS Exploit Kit: 3 Lessons for Mobile Security Threat Labs Jamf Training Celebrates 20 Years of Apple IT Education and Certification Balancing Safety and Learning: K-12 Content Filtering for IT Admins Why Mac security updates take too long and how to fix it Why the Jamf platform is the natural foundation for MSPs Jamf After Dark: mobile forensics Introducing the redesigned Mac threat prevention. Now available in beta.  Beyond access: rethinking the complete Apple deployment strategy for education Gain faster updates and real-time fleet visibility with DDM What the Canvas breach tells us about the state of education security Why K-12 students need web filtering that travels with their devices Jamf spotlighted in Okta Businesses at Work 2026 Report Jamf Nation Live 2026 recap MobiDash internals: ghost clicks and SSH tunnels in commercial adware Tech Partner Spotlight: Jamf + SmallStep MacBook Neo in K-12 Closing the gaps: How Jamf protects macOS and iOS with real-time threat prevention MSP engineering: The art of scoping in Jamf Pro at scale Mac in education is evolving. Jamf School makes it simple Why Apple devices deserve security built for them Seamless Learning Access: Simplicity that puts learning first Reducing IT firefighting: Fewer failed updates, less manual cleanup Apple WWDC26: Keynote recap How Jamf helps maximize your Microsoft investments MTE as a microscope WWDC26: Key takeaways for education institutions WWDC26: Key takeaways for Apple admins The JNUC 2026 session catalog is live — and the clock is ticking Jamf After Dark: Why we moved 1,900+ Apple devices back to Jamf AI governance for Mac: bringing AI under management AI Adoption Is High, Governance Is Lagging Klue Third-Party Cybersecurity Incident How Identity Automation, Claris, and Jamf Simplify Apple Workflows for Education What Is AI Governance? How Proactive Device Status Reporting Transforms Mac Fleet Visibility AI Governance on Mac: A Practical Guide for IT and Security Teams Restaurants Run on iOS: Jamf and IPORT at the NRA Show AI Governance on Mac: A Practical Guide for IT and Security Teams PamStealer: macOS Malware Posing as Clipboard Manager App
FlexibleFerret malware continues to strike
Jamf Threat Labs · 2026-04-11 · via Jamf Blog

Beware of fake job assessments that ask you to run Terminal commands — they could be a social engineering scheme to deploy the FlexibleFerret malware and steal your credentials. Jamf Threat Labs analyzes their latest discovery.

Illustration of a ferret in a computer room doing yoga

Author: Ferdous Saljooki

Introduction

Early in 2025, a SentinelOne blog post brought to light a malware family known as FlexibleFerret. This malware family is attributed to DPRK-aligned operators and tied to fake recruitment lures associated with the Contagious Interview operation. In this operation, individuals are led through staged hiring tasks that result in the execution of malicious instructions.

Earlier this month, Validin released a blog highlighting the details of an attack that they identified as a new variant of the Contagious Interview campaign. Jamf Threat Labs has been tracking similar activity stemming from in-the-wild detections that began with the execution of a script called /var/tmp/macpatch.sh. This script matched indicators of the previously used FlexibleFerret shell loader. Subsequent threat hunting on VirusTotal surfaced several recently uploaded JavaScript files referencing this shell script. Each of these JavaScript files had low detections, providing an opportunity to analyze the latest iteration of FlexibleFerret.

VirusTotal listings for six JavaScript files, each with 4 or fewer detections

VirusTotal listings

Social engineering and stage one

These JavaScript files are used on fake recruitment websites created by the attacker. One such example was evaluza[.]com. The websites are first designed to convince a user that a potential job exists for them and that they must complete a hiring assessment to be considered. A LinkedIn user publicly reported receiving a nearly identical lure, describing how they were asked to upload a video introduction and provide personal details through the same domain.

LinkedIn post with text mentioning a recruitment scam, highlighting suspicious behavior and showing a fake recruiter's LinkedIn profile

LinkedIn post highlighting recruitment scams

In addition to evaluza[.]com, a separate JavaScript file references proficiencycert[.]com, which hosts another recruitment-themed lure. A unique application link identified during analysis, proficiencycert[.]com/apply/o5s3x9e7i4w1mwie3h6j3ygf, presents a staged hiring assessment branded as "Blockchain Capital Operations Manager Hiring Assessment." The JavaScript includes a broad catalog of job lures and selects a matching role and company based on the apply link to tailor the page to the intended target.

The page instructs the visitor to begin a timed assessment and lists job responsibilities, mirroring the type of professional context used to socially engineer targets.

After filling out the job assessment, applicants are then asked to record a video introduction on a fake assessment portal and then execute a provided macOS command in the Terminal, which initiates the malware on the victim's system. This activity reflects many of the social engineering techniques used in previous Contagious Interview operations (such as that reported by researcher tayvano).

In one of the JavaScript samples analyzed by Jamf Threat Labs, the attacker attempts to persuade the victim to execute the curl command by claiming that camera or microphone access is blocked, presenting the curl command as the required fix.

Prompt encouraging users to run a curl command to grant access to the camera and microphone

Prompt for camera and microphone access

The command built by the JavaScript combines several variables to produce a curl command that downloads a secondary payload to /var/tmp/macpatch.sh, marks it executable, and launches it in the background.

The executable called by the curl command, which downloads a secondary payload.

Secondary payload fetched by the curl command

Stage two

Using the URL components extracted in stage one, the second‑stage download path can be constructed:

hXXps://app.zynoracreative.com/updrv8/drvMac-as7t.patch

Retrieving this file reveals the next-stage shell script (macpatch.sh, also uploaded as cdrivMac.sh).

The script performs the following actions:

1. Determines the host architecture

The script first branches on uname -m to decide which payload to fetch:

  • arm64 hosts: hXXps://app.zynoracreative.com/updrv8/drv-Arm64.patch
  • Intel hosts: hXXps://app.zynoracreative.com/updrv8/drv-Intel.patch

2. Downloads and unpacks the stage three backdoor

The chosen archive is written to /var/tmp/CDrivers.zip and extracted into /var/tmp/CDrivers. If the expected loader (drivfixer.sh) is present, the script marks it executable and launches it in the background.

3. Establishes persistence

The script writes a LaunchAgent to~/Library/LaunchAgents/com.driver9990as7tpatch.plist

The plist points to the extracted loader (drivfixer.sh) inside /var/tmp/CDrivers and is intended to run at login.

4. Displays a decoy application to harvest credentials

If the extracted directory contains the ad-hoc signed application MediaPatcher.app, the script launches it.

Window showing the MediaPatcher app is validly signed with an ad-hoc signature and including options to view hashes and entitlements

Ad-hoc signed MediaPatcher.app

The decoy application first shows a fake Chrome camera access prompt to establish legitimacy. It then presents a Chrome-style password prompt, capturing whatever the user enters and sends it to a Dropbox account.

Two Chrome-style prompts, one asking for access to the camera and one requesting a password

Left: fake Chrome camera access prompt | Right: Chrome-style password prompt

In this variant, the Dropbox exfiltration host is constructed by concatenating short string fragments to form content.dropboxapi.com. The malware uses Dropbox’s legitimate file upload API as its exfiltration channel for passwords, issuing an authenticated POST request to content.dropboxapi.com/2/files/upload. It also queries api.ipify.org to obtain the victim’s public IP address, consistent with earlier FlexibleFerret activity.

File showing construction of the Dropbox exfiltration host by concatenating string fragments

Constructing the exfiltration host via concatenation

Stage three

The third stage begins when the previously downloaded archive (/var/tmp/CDrivers.zip) is extracted, and its loader script (drivfixer.sh) is executed.

The extracted directory contains a malicious Golang project named CDrivers, which closely mirrors the structure and functionality of the backdoor previously analyzed by researcher dmpdump.

Directory called

Extracted directory with malicious Golang project

The loader script(drivfixer.sh)simply invokes the Go source file driv.go using the bundled Go runtime.

Bash script invoking the Go source file

Script invoking the Go source file

Upon execution of driv.go it generates a 4‑byte random machine identifier and stores it in a .host file under the user’s temporary directory, reusing it on subsequent runs. Before executing, it performs delay and duplicate‑instance checks, then registers itself as the active instance. Finally, it contacts the hard‑coded C2 server at hXXp://95.169.180.140:8080 and begins the first communication loop by invoking core.StartFirst5179Iter() with the machine ID and C2 url.

The backdoor’s command loop

The Go backdoor then enters a persistent command-processing loop implemented in StartFirst5179Iter. Each iteration performs the following actions:

1. Execute the current command handler

The loop invokes the handler associated with the current command type. Each handler returns:

  • msg_5179_type — the response message type to send back
  • msg_5179_data — the response payload as a set of byte slices

Supported command types are defined in the configuration file loaded by the backdoor and mapped to four-character identifiers. Some of the interesting ones are as follows:

  • qwer — collect system information (username, hostname, OS, architecture)
  • asdf — file upload: receive an archive from the C2 and extract it to disk
  • zxcv — file download: read a file or directory and return the bytes
  • vbcx — execute an OS command, either synchronously with a timeout or asynchronously in detached mode
  • r4ys — automated stealing modes
  • 89io — gather Chrome profile and extension metadata
    • 7ujm — placeholder on macOS (not implemented)
    • gi%# — enumerate Chrome Local Extension Settings directories
    • kyci — collect Chrome Login Data DB and the related keychain file for exfiltration
  • ghdj — sleep/ping
  • dghh — terminate the process

2. Wrap and send the response

The backdoor constructs the outbound message using the machine ID, message type and payload, then delivers it to the C2 using the Htxp_Exchange function.

3. Decode the next C2 command

The response from the C2 is decoded into a command identifier and a list of positional byte-slice arguments, which define what the next loop iteration will execute.

  • cmd_5179_type — command identifier
  • cmd_5179_data — arguments as positional byte slices

4. Error handling and fallback

The loop is wrapped in a recover() block. If a panic occurs during a handler, the malware resets the command type back to the system-information command (qwer) and sleeps for five minutes before continuing. This ensures that temporary failures do not break execution.

Conclusion

This campaign reinforces that FlexibleFerret remains an active threat on macOS, relying on convincing recruitment lures to move targets from a fake hiring flow into running attacker-provided commands in the Terminal that circumvent built-in protections like Gatekeeper. Our analysis links the JavaScript stagers to a familiar multi-stage attack and shows that the threat actor continues refining their social engineering to blend into legitimate-looking processes. Organizations should treat unsolicited "interview" assessments and Terminal-based "fix" instructions as high risk and ensure users know to stop and report these prompts as they continue to become more abundant in the threat landscape.

Indicators of compromise (IoCs)

Dive into more Jamf Threat Labs research on our blog.