A new macOS malware campaign is leveraging a multi-stage infection chain, credential-harvesting decoys and a persistent Go-based backdoor to evade user safeguards and maintain long-term access to targeted systems, according to Jamf Threat Labs.
Researchers say the attack begins with a second-stage shell script that reconstructs a download path and retrieves architecture-specific payloads for both arm64 and Intel Macs. The script unpacks an archive containing the next-stage loader into a temporary directory before launching it in the background.
To ensure persistence, the malware writes a LaunchAgent that forces the loader to run at each login. Victims are then shown a decoy application mimicking legitimate Chrome permission prompts. This ultimately leads to a fake Chrome-style password window designed to harvest user credentials. The stolen data is routed to a Dropbox account, with the malware assembling the Dropbox host from small string fragments to hinder detection. It then uses the official Dropbox upload API for exfiltration and queries api.ipify.org to log the victim’s public IP address.
The third stage triggers a malicious Golang component dubbed CDrivers, which generates a short machine identifier, checks for duplicates, and connects to a hard-coded command server. If communication fails, the malware runs a fallback system-information command and waits five minutes before resuming activity, preventing minor disruptions from halting the operation.
Jamf attributes the activity to FlexibleFerret, a North Korea-linked threat group known for social-engineering lures that trick users into manually running malicious scripts. The activity appears to be linked to fake recruitment campaign associated with the broader Contagious Interview operation.