New macOS malware disguises itself as Chrome & Zoom installers
North Korean hackers are using fake job offers and disguised app updates to sneak malware onto Macs, and while Apple's latest XProtect update blocks some threats, others are still slipping through.

MacBook Pro
Security researchers from SentinelLabs have identified fresh variants of a North Korean malware family, dubbed "FlexibleFerret," which is actively exploiting macOS users. The malware is part of a broader campaign known as "Contagious Interview," where attackers pose as recruiters to trick job seekers into installing malicious software.
Apple responded with an XProtect signature update to counter these threats, blocking several variants, including FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.
XProtect is Apple's built-in malware detection and removal tool for macOS, designed to identify and block known malicious software. It runs silently in the background, using regularly updated security signatures to detect threats when files are downloaded or executed.
Unlike traditional antivirus software, XProtect operates at the system level with minimal user interaction, automatically protecting Macs without requiring manual scans.

Some malware components found in FlexibleFerret share similarities with the Stage 2 payloads used in North Korea's Hidden Risk campaign. Image credit: SentinelOne
The malware campaign has evolved from earlier DPRK-attributed threats discovered in December and January. Attackers are using deceptive tactics such as fake Chrome updates and disguised Zoom installers to infect macOS systems.
The malware's persistence mechanisms and data exfiltration methods indicate a well-funded, state-backed operation.
How the malware spreads
The FlexibleFerret malware primarily spreads through social engineering. Victims are tricked into downloading a seemingly legitimate app, such as VCam or CameraAccess, after encountering an error message during a fake job interview.
In reality, these apps install a malicious persistence agent that runs in the background, stealing sensitive data. One identified package, versus.pkg, contains multiple malicious components, including InstallerAlert.app, versus.app, and a rogue binary named zoom.
Once executed, the malware installs a launch agent to maintain persistence and communicates with a command-and-control server via Dropbox.

File contents of the FlexibleFerret dropper, versus.pkg. Image credit: SentinelOne
Apple's latest XProtect update blocks key malware components disguised as macOS system files, including com.apple.secd. However, some FlexibleFerret variants remain undetected, highlighting the evolving nature of these threats.
Protecting your Mac
Mac users should be cautious when downloading software from untrusted sources and skeptical of unexpected software installation prompts. Apple's built-in security measures provide a first line of defense, but additional endpoint security solutions can help detect and block emerging threats.
Tools like Malwarebytes, Sophos Home, and CleanMyMac X offer extra layers of protection against cyber attacks.
Read on AppleInsider
Comments
So far as Zoom goes I never thought to run Zoom inside of Chrome.
But as an Apple aficionado, do remind yourself that Apple has a cohabitation with Google to the tune of $20 Billion. So that when you run an Apple search with an internet access you are going through Apple's/Google's Portal not some proprietary, indie thingamajig like DuckQuackDuack or Wolfram. Or worst yet, Bing
I wouldn't suggest that Google is spyware but more like a GIANT Cookie. But there are multiple ways to squelch that. Also Google Gmail is superb at squashing out spam. If you ever had the misery of using MS Outlook or Gosh
I recall the days before Gmail arrived on the scene in the early 2000s like most folks I used Hotmail. For every 20 emails, 18 were spam of the worst kind. A real clogged toilet.
So do give credit where it's use: Google~Gmail, Google~Search. Top Class. How they get their revenue? So that you don't pay for Gmail or Search? By surreptitiously marketing your info. Not happy, subscribe to Incogni they will wipe your data from all the many data brokers out there.
Of course, my new apartment complex uses the #-sign in front of my apartment number in the subject line, causing all their mail to go to Junk mail, then to Trash. When I sent them the website, they said that's normal but they'll try and not include it on my email. Read this article, which justifies my desire for Apple to be proactive: https://www.aura.com/learn/how-to-identify-phishing-emails