Have you ever joined a Zoom call only to be greeted with an unexpected update prompt? Or downloaded Google Chrome, thinking you were just getting the latest version, only to install something far more sinister?

If so, you’re not alone. And unfortunately, cybercriminals know this too.

Hackers are now disguising malware as legitimate Zoom and Chrome installers for MacOS, tricking unsuspecting Mac users into downloading infected software. This isn’t just any random malware campaign. It’s part of an advanced cyber-espionage operation called “Contagious Interview,” linked to North Korean threat actors.

The attack works in an eerily convincing way: victims (often job seekers) are approached with a promising interview opportunity. During the process, they’re asked to install or update essential software like Zoom or Chrome to proceed with the virtual meeting. The reality? The installer is laced with malware from a growing family of viruses dubbed FlexibleFerret.

And while Apple has responded by updating its built-in security tool, XProtect, it hasn’t been able to catch all variants of the malware. This means some of these fake installers are still slipping through, putting Mac users at serious risk.

So what’s going on? Why are hackers suddenly setting their sights on MacOS? And more importantly, how can you protect yourself? Let’s break it down.

What is FlexibleFerret?

Before we go deeper, let’s talk about FlexibleFerret, the malware behind this attack.

FlexibleFerret is a family of malware variants designed specifically to target MacOS. These variants belong to the Ferret malware family, which researchers have linked to the North Korean hacking campaign “Contagious Interview.”

Once a victim unknowingly installs FlexibleFerret (thinking it’s a Zoom or Chrome update), the malware does several things in the background:

1. It installs a persistence agent: This means the malware stays on the system even after a reboot. Unlike one-time viruses, it embeds itself into MacOS, making it much harder to remove.

2. It steals sensitive data: FlexibleFerret is designed to extract system information, stored credentials, and possibly even keystrokes.

3. It uses Dropbox for command & control: Instead of using traditional hacker-controlled servers, FlexibleFerret abuses Dropbox to communicate with its operators. This makes it harder to detect, as it blends in with normal network traffic.

4. It bypasses Apple’s security measures: Some versions of FlexibleFerret use Apple Developer IDs to appear as trusted software, bypassing Gatekeeper and XProtect scans.

When installed, the malware doesn’t just sit on your computer, it actively communicates with its command servers, potentially sending stolen data back to its operators.

Also read: Understanding Malware Threats

What is the “Contagious Interview” Operation?

This is a well-crafted social engineering attack designed to prey on job seekers, people who are likely to be eager, trusting, and willing to follow instructions from a potential employer. The hackers behind it are impersonating recruiters from well-known companies.

The attack unfolds like this:

1. The Fake Recruitment Process 

The victim is contacted, usually via LinkedIn, email, or messaging platforms, by someone posing as a recruiter. They claim to represent a prestigious company and offer an exciting job opportunity.

2. The Convincing Interview Stage 

Once the target expresses interest, they’re invited to a virtual interview. The "recruiter" might provide documents, job descriptions, or other materials to make everything seem legitimate.

3. The Malware Setup 

At some point, the victim is told that they need to install or update Zoom, Google Chrome, or another communication tool to proceed with the interview. Since most people have experienced software update prompts before an online call, this doesn’t raise suspicion.

4. The Infection 

Instead of a real software update, the victim downloads malware disguised as an installer (FlexibleFerret). Once executed, it secretly installs a persistent backdoor, allowing the hackers to steal sensitive data, record activity, and even access system files.

This approach isn’t new. A similar operation called “Dream Job” also targeted professionals with fake job offers. The key difference? Dream Job primarily focused on Windows users, while Contagious Interview is now shifting to macOS.

Also read: Phishing for Billions: Operation Dream Job

Why Is MacOS Targeted?

For years, Mac users have proudly stated, “Macs don’t get viruses.” It’s been one of Apple’s biggest selling points. Macs were seen as the safer alternative to Windows when it came to cybersecurity.

But, that statement is outdated. MacOS is not invincible, and cybercriminals have caught on.

So why are hackers now shifting their focus to Mac users? 

1. The Growing Popularity of MacOS

Macs were once a niche product, mostly favored by creative professionals like designers, video editors, and musicians. But over the past decade, Apple has expanded its influence into the corporate and tech world. Now, you’ll find MacBooks in the hands of:

• Developers & Engineers: Many software engineers, coders, and IT professionals now prefer MacBooks for development work.

• Startups & Business Executives: The sleek design and seamless integration with iPhones make Macs a go-to choice for entrepreneurs and CEOs.

• Enterprise Environments: Large companies have started providing employees with Macs due to their longevity and lower maintenance needs.

As MacOS becomes more common in high-value industries like technology and finance, hackers see more opportunities to infiltrate systems and steal sensitive data.

2. The False Sense of Security Among Mac Users

One of the biggest reasons Mac users are prime targets is simple: they don’t expect to be attacked.

For years, Mac users have relied on built-in security features like Gatekeeper, XProtect, and System Integrity Protection (SIP) to automatically block malicious apps. Unlike Windows users, who are accustomed to installing third-party antivirus software, many Mac users don’t take extra security precautions.

Hackers exploit this. If you think you’re immune to cyber threats, you’re less likely to double-check before installing an update, clicking a link, or verifying a software source.

3. MacOS Security Gaps

MacOS has a different security architecture compared to Windows, which means attackers need different methods to infiltrate it.

Some key factors that make MacOS vulnerable:

• Gatekeeper has flaws: Apple's Gatekeeper is designed to block unverified apps, but hackers have found ways to bypass it using signed or notarized malware (meaning it appears legitimate to the system).

• Malware delivery via social engineering: MacOS malware often doesn’t rely on traditional exploits (like Windows ransomware does). Instead, hackers trick users into installing the malware themselves (as seen in Contagious Interview).

• Security updates take time: While Apple is quick to patch vulnerabilities, there’s always a gap between malware discovery and Apple’s response. In that window, attackers can infect thousands of users before a fix is deployed.

• Bypassing XProtect: Apple’s built-in malware detection tool, XProtect, works silently in the background, but it relies on known signatures. If the malware is new or disguised well enough, it can slip through undetected (which is exactly what some variants of FlexibleFerret in this case have done).

Again, hackers don’t target MacOS because it’s weak, they target it because users aren’t expecting it. The shift from Windows to Mac attacks is strategic, focusing on high-value individuals and organizations where one successful infection can lead to major security breaches.

Apple’s Responses

As soon as researchers uncovered FlexibleFerret and its connection to the Contagious Interview campaign, Apple pushed a security update to its built-in malware protection system, XProtect.

For those unfamiliar, XProtect is Apple’s on-device malware detection tool that runs silently in the background of every Mac. Unlike traditional antivirus software, it doesn’t require user input — it automatically scans files when they are downloaded, opened, or modified, blocking anything that matches its list of known malware signatures.

In response to FlexibleFerret, Apple then updated XProtect’s malware definitions to block several known variants of the Ferret malware family, including:

•  FROSTYFERRET_UI

•  FRIENDLYFERRET_SECD

•  MULTI_FROSTYFERRET_CMDCODES

Each of these variants was designed to evade detection and steal sensitive information from infected Macs, using different persistence mechanisms to remain active even after a reboot. Apple’s security update aims to detect and remove these threats before they can cause damage, adding a crucial layer of defense for Mac users.

However, while Apple’s update is a positive step, it’s not a complete fix. Security researchers warn that not all variants of FlexibleFerret have been blocked, meaning some strains are still undetected by XProtect.

Apple is constantly updating XProtect with new definitions, and the macOS 15.3 update introduced additional security measures to prevent malware from installing persistence agents. Even so, as long as users can be tricked into installing fake Zoom and Chrome updates, malware will continue to spread.

How Can You Protect Yourself?

Despite Apple’s updates, your best defense is awareness and good cybersecurity habits. Here’s what you can do:

• Download software only from official sources: Always get Zoom, Chrome, or any app directly from the official website or the App Store.

• Beware of unexpected updates: If a job interview requires you to download or update an app, double-check with the company’s official site before proceeding.

• Keep MacOS updated: While updates aren’t 100% solid, they do provide essential security patches.

• Use additional security tools: Consider using reputable antivirus software for extra protection.

• Trust, but verify: If something feels odd (like a recruiter pushing software updates) it’s always best to double-check.

Also read: Stay Safe: An Employee’s Guide to Avoiding Phishing Attacks

MacOS isn’t invincible, and this latest fake Zoom & Chrome installer malware proves it. Cybercriminals are getting more creative, using social engineering tactics that prey on job seekers and professionals.

The best way to stay safe? Be cautious, verify your downloads, and never assume that a Mac is immune to cyber threats. 

Want to learn more about protecting yourself against cyber threats? Follow us for the latest insights on cybersecurity:

LinkedIn: Cisometric

Instagram: @cisometric

Reference: 

North Korean hackers created new macOS malware disguised as popular app installers

New macOS malware disguises itself as Chrome & Zoom installers

This devious new macOS malware disguises itself as Chrome, Zoom installers

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed