Jamf Threat Labs analyzes a recent FlexibleFerret macOS variant attributed to DPRK-aligned operators and tied to Contagious Interview fake recruitment lures. Victims are led through fake hiring assessment sites such as evaluza[.]com and proficiencycert[.]com, then instructed to run a macOS Terminal command framed as a camera or microphone access fix. The infection chain downloads macpatch.sh, selects ARM64 or Intel payloads from app.zynoracreative.com, installs a LaunchAgent for persistence, and launches a decoy MediaPatcher.app that captures passwords and exfiltrates them via Dropbox’s upload API. A later Golang backdoor contacts 95.169.180.140:8080 and supports system profiling, file upload and download, OS command execution, Chrome profile and extension collection, Chrome Login Data and keychain theft, and persistent command polling.