FERRET Malware Targets macOS in Sophisticated North Korean Attacks

2025-02-04 • Cybersec Sentinel •

https://cybersecsentinel.com/ferret-malware-targets-macos-in-sophisticated-north-korean-attacks/

#macOS #BeaverTail #InvisibleFerret #Lazarus #OtterCookie #FlexibleFerret #FriendlyFerret

Thumbnail for FERRET Malware Targets macOS in Sophisticated North Korean Attacks

CyberSec Sentinel profiles the DPRK-linked FERRET malware family used in fake job and spear-phishing operations against macOS users. The source describes variants such as InvisibleFerret, FRIENDLYFERRET, FROSTYFERRET_UI, FlexibleFerret, and BeaverTail, with capabilities for persistence, credential theft, system reconnaissance, remote command execution, and file exfiltration. FlexibleFerret is described as using legitimate-looking applications, LaunchAgent persistence, signed or disguised components, Dropbox exfiltration, and api.ipify.org public-IP checks, with targeting noted across defense, aerospace, nuclear, engineering, and cryptocurrency sectors.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	api.ipify.org	2019-12-11	2026-03-17
HASH	3c4becde20e618efb209f97581e9ab6…	2025-02-04	2025-02-19
HASH	831cdcde47b4edbe27524085a6706fb…	2025-02-03	2025-02-06
HASH	7da429f6d2cdd8a63b3930074797b99…	2025-02-03	2025-02-06
HASH	ee7a557347a10f74696dc19512ccc5f…	2025-02-03	2025-02-06
HASH	dba1454fbea1dd917712fbece9d6725…	2025-02-03	2025-02-06
HASH	de3f83af6897a124d1e85a65818a805…	2025-02-03	2025-02-06
HASH	b0caf49884d68f72d2a62aa32d5edf0…	2025-02-03	2025-02-06
HASH	bd73a1c03c24a8cdd744d8a513ae8d2…	2025-02-03	2025-02-06
HASH	76e3cb7be778f22d207623ce1907c16…	2025-02-03	2025-02-06
HASH	17e3906f6c4c97b6f5d10e0e0e7f2a2…	2025-02-03	2025-02-06
HASH	8667078a88dae5471f50473a332f6c8…	2025-02-03	2025-02-06
HASH	b071fbd9c42ff660e3f240e1921533e…	2025-02-03	2025-02-06
HASH	a25dff88aeeaaf9f956446151a9d786…	2025-02-03	2025-02-06
HASH	388ac48764927fa353328104d5a32ad…	2025-02-03	2025-02-06
HASH	203f7cfbf22b30408591e6148f59783…	2025-02-03	2025-02-06
HASH	1a28013e4343fddf13e5c721f91970e…	2025-02-03	2025-02-06
HASH	aa172bdccb8c14f53c059c8433c5390…	2025-02-03	2025-02-06
HASH	3e16c6489bac4ac2d76c555eb1c263c…	2025-02-03	2025-02-06
HASH	2e51218985afcaa18eadc5775e6b374…	2025-02-03	2025-02-06
HASH	d8245cdf6f51216f29a71f25e70de82…	2025-02-03	2025-02-06
HASH	e876ba6e23e09206f358dbd3a3642a7…	2025-02-03	2025-02-06
HASH	828a323b92b24caa5f5e3eff438db45…	2025-02-03	2025-02-06
HASH	7e07765bf8ee2d0b2233039623016d6…	2024-11-07	2025-02-06
HASH	8ffa3d4f4846b168343eb6a72a216abd	2025-02-04	2025-02-04

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2025-02-03 • 67% Match

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed

Sentinel One

#macOS #ContagiousInterview #FlexibleFerret #FrostyFerret

Shares tags: macOS, FlexibleFerret • Shares 23 IOCs • Published within a week

2025-02-06 • 60% Match

“Contagious Interview” Targets macOS with FlexibleFerret Malware

Hive Pro

#ContagiousInterview #FlexibleFerret #T1567.002 #T1071.001 #T1036 #T1059.004 #T1566.002 #T1567 #T1071 #T1204 #T1547.001 #T1583.001 #T1566 #T1059 #T1105 #T1189 #T1583 #T1547 #T1068 #T1586 #T1202

Shares tag: FlexibleFerret • Shares 22 IOCs • Published within a week

2024-11-14 • 47% Match