The FlexibleFerret malware campaign targets macOS users through fake job recruitment websites that host malicious JavaScript files. These scripts prompt users to execute shell commands that download and run a multi-stage payload. The initial shell scripts fetch a Golang-based backdoor that establishes persistence on the infected system, allowing the attacker to maintain long-term access. This backdoor can perform a range of malicious activities including system reconnaissance, file upload/download, command execution, and credential theft specifically targeting Chrome browser data. The malware uses Dropbox as a covert exfiltration channel to send stolen credentials and data back to the attackers, complicating network detection due to legitimate cloud service usage. The campaign is attributed to DPRK-aligned operators known for sophisticated cyber espionage. The attack chain heavily relies on social engineering, convincing victims to execute commands manually, which lowers automation but increases success against untrained users. The malware employs multiple MITRE ATT&CK techniques such as T1059.004 (command and scripting interpreter: Unix shell), T1547.001 (boot or logon autostart execution), and T1555.003 (credentials from web browsers). There is no known CVSS score or public exploit code, but the campaign is active and evolving, as noted by security researchers. The threat primarily affects macOS environments, which are less commonly targeted but increasingly important in enterprise and government sectors.

For European organizations, the FlexibleFerret campaign poses a significant risk to confidentiality and integrity, particularly through credential theft and persistent backdoor access. Organizations with macOS endpoints, such as technology firms, research institutions, and government agencies, may suffer data breaches, espionage, and operational disruption. The use of social engineering lowers the technical barrier but increases the risk of successful compromise where user awareness is low. Credential theft from Chrome can lead to lateral movement and further compromise of corporate resources. The use of Dropbox for exfiltration may bypass traditional network security controls, making detection and response more difficult. Persistent access allows attackers to maintain long-term espionage capabilities, potentially impacting sensitive European strategic interests. Although availability impact is limited, the overall threat to data confidentiality and operational security is considerable.

European organizations should implement targeted user awareness training focusing on social engineering and fake job scams, emphasizing the risks of executing unknown scripts or commands. Restrict or disable the execution of JavaScript and shell scripts from untrusted sources, especially on macOS endpoints. Employ endpoint detection and response (EDR) solutions with macOS support to detect suspicious behaviors such as persistence mechanisms, unusual network connections to Dropbox, and credential access attempts. Monitor network traffic for anomalous Dropbox usage patterns that could indicate data exfiltration. Enforce strict application whitelisting and use macOS security features like Gatekeeper and System Integrity Protection (SIP) to limit unauthorized code execution. Regularly audit and update browser security settings to minimize credential exposure. Implement multi-factor authentication (MFA) to reduce the impact of stolen credentials. Finally, maintain up-to-date threat intelligence feeds to detect emerging variants of FlexibleFerret and related campaigns.