North Korean Contagious Interview campaign targets job seekers via FERRET malware

North Korean Contagious Interview campaign targets job seekers via FERRET malware

A new report from cybersecurity firm SentinelOne has revealed that North Korean threat actors responsible for the ‘Contagious Interview’ campaign have been observed deploying a collection of Apple macOS malware strains, dubbed FERRET, through a deceptive job interview process. The attack method, which targets both job seekers and unsuspecting individuals, is designed to compromise devices and harvest sensitive data.

First uncovered in late 2023, the Contagious Interview campaign, also tracked as DeceptiveDevelopment and DEV#POPPER, has since evolved into a persistent and sophisticated operation by North Korean hackers to infect victims using fake job interviews.

According to the researchers, potential targets are lured into the trap by receiving a link to communicate with an ‘interviewer’ via video call. However, when clicking on the link, the victim is met with an error message, followed by a request to install or update necessary software such as VCam or CameraAccess for a supposed virtual meeting.

The malicious installations are designed to distribute various forms of malware, including a JavaScript-based strain known as BeaverTail capable of harvesting sensitive data such as browser activity, cookies, and even crypto wallet information. However, the malware serves as a tool facilitating the delivery of a Python backdoor called InvisibleFerret. This malware is capable of enabling persistent access to infected systems, allowing the threat actors to control compromised devices remotely.

In addition to BeaverTail and InvisibleFerret, recent findings by Japanese cybersecurity firm NTT Security Holdings have revealed that the JavaScript-based malware also fetches and executes another malware variant called OtterCookie.

“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required. Diverse tactics help the threat actors deliver malware to a variety of targets in the developer community, both in targeted efforts and what appears to be more ‘scatter gun’ approaches via social media and code sharing sites like Github,” the report concludes.

Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025