{“lastseen”:”2025-11-26T16:20:19″,”description”:”Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a bogus software update.\\n\\nThe attackers pose as recruiters and contact people via LinkedIn, encouraging them to apply for a role. As part of the application process, victims are required to record a video introduction and upload it to a special website.\\n\\nOn that website, visitors are tricked into installing a so-called update for FFmpeg media file-processing software which is, in reality, a backdoor. This method, known as the Contagious Interview campaign, points to the Democratic People\u2019s Republic of Korea (DPRK).\\n\\nContagious Interview is an illicit job-platform campaign that targets job seekers with social engineering tactics. The actors impersonate well-known brands and actively recruit software developers, artificial intelligence researchers, cryptocurrency professionals, and candidates for both technical and non-technical roles.\\n\\nThe malicious website first asks the victim to complete a \\”job assessment.\\” When the applicant tries to record a video, the site claims that access to the camera or microphone is blocked. To \\”fix\\” it, the site prompts the user to download an \\”update\\” for FFmpeg.\\n\\nMuch like in ClickFix attacks, victims are given a curl command to run in their Terminal. That command downloads a script which ultimately installs a backdoor onto their system. A \\”decoy\\” application then appears with a window styled to look like Chrome, telling the user Chrome needs camera access. Next, a window prompts for the user’s password, which, once entered, is sent to the attackers via Dropbox.\\n\\nImages courtesy of Jamf\\n\\nThe end-goal of the attackers is Flexible Ferret, a multi-stage macOS malware chain active since early 2025. Here\u2019s what it does and why it\u2019s dangerous for affected Macs and users:\\n\\nAfter stealing the password, the malware immediately establishes persistence by creating a LaunchAgent. This ensures it reloads every time the user logs in, giving attackers long-term, covert access to the infected Mac.\\n\\nFlexibleFerret\u2019s core payload is a Go-based backdoor. It enables attackers to:\\n\\n * Collect detailed information about the victim\u2019s device and environment\\n * Upload and download files\\n * Execute shell commands (providing full system control)\\n * Extract Chrome browser profile data\\n * Automate additional credential and data theft\\n\\n\\n\\nBasically, this means the infected Mac becomes part of a remote-controlled botnet with direct access for cybercriminals.\\n\\n## How to stay safe\\n\\nWhile this campaign targets Mac users, that doesn’t mean Windows users are safe. The same lure is used, but the attacker is known to use the information stealer InvisibleFerret against Windows users.\\n\\nThe best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.\\n\\n * Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.\\n * Do not follow instructions to execute code on your machine that you don\u2019t fully understand. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * Use a real-time anti-malware solution with a web protection component.\\n * Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.\\n * Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.\\n * Compare the URL in the browser\u2019s address bar to what you\u2019re expecting.\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-11-26T14:11:26″,”modified”:”2025-11-26T14:11:26″,”type”:”malwarebytes”,”title”:”Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware”,”source”:””,”references”:””,”id”:”MALWAREBYTES:AAAC15C915F159664F3E8FB69FC2E360″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/11\/fake-linkedin-jobs-trick-mac-users-into-downloading-flexible-ferret-malware”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T16:20:19″,”description”:”Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-27734","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n