Reporting on North Korean malware underlines the endurance and evolution of a known threat vector

Event

On 3 February 2025, a malware strain called ‘FlexibleFerret' was identified by SentinelOne, targeting macOS and evading Apple’s antivirus program [LINK]. It has been linked by SentinelOne to the North Korean Ferret malware family, which has been identified in reporting since 2023. [LINK]. 

Assessment

This incident represents the continuation of a North Korean cyber campaign, tracked as Contagious Interview by Unit42, in which threat actors impersonate recruiters to deceive targets into downloading malicious malware [LINK]. The campaign’s primary objectives are to exfiltrate sensitive information and steal cryptocurrency wallets, for intelligence collection and revenue generation [LINK]. 

The standard operating procedure (see graphic below) involves threat actors impersonating recruiters to lure targets into fake interviews for non-existent remote jobs. Malware is often disguised as legitimate software, claimed to be necessary for the interview [LINK]. Alternatively, during an online interview a target is forced to download malware camouflaged as a GitHub package for analysis in the call [LINK]. Malware is being posted to fake issues on GitHub repositories [LINK]. 

Once downloaded, an initial malware, named ‘BeaverTail’, exfiltrates data and searches for cryptowallets in browsers. It then opens a backdoor called ‘InvisibleFerret’, which allows for other sensitive data collection via keylogging and remote-access control [LINK]. The latest variant, ‘FlexibleFerret’, installs a persistence mechanism to maintain control of the infected system, while masquerading as a legitimate application [LINK]. 

This threat vector is evolving, with new forms of malware being identified [LINK], operating across multiple systems [LINK], and GitHub attacks indicate a scattergun approach. There are also overlaps with an ongoing remote IT worker scam described in earlier reporting [LINK]. Alongside other North Korean cyber operations [LINK], this indicates a persistent strategy intended to generate revenue and access to technology. Cyber operations targeting cryptocurrency have already yielded significant revenue for North Korea [LINK]. 

Western entities involved in cryptocurrency, defence, and emerging technologies have been targeted [LINK] and remain at high risk due to the value of their data and access to cryptocurrency. Software engineers and programmers are key professions targeted by this threat vector. 

Outlook

North Korean operatives have already been identified impersonating legitimate companies to enhance the effectiveness of the scam [LINK]. With the advancement of deception methods such as deepfake technology, we assess that this is likely to be the direction of travel for the targeted approach. 

The focus in industry reporting on higher-end capability deployed by adversary states such as North Korea aligns with broader trends in the cyber threat intelligence industry. We assess with moderate confidence that versions of this scam based on social engineering and less sophisticated exploitation techniques are likely to be in widespread use among a range of threat actors. 

The development and deployment of high-end malware for this purpose is unusual. True apex threat actors are more likely to reserve exquisite capability for higher-value opportunities and rely on common vulnerabilities and living off the land techniques to conduct low-profile attacks, efficient attacks. The use of specialised malware by North Korea is an indicator of the priority the regime attaches to revenue generation.

Tyburn St Raphael is a security boutique. Our experts come exclusively from UK government, military, and academic backgrounds and have decades of experience in delivering intelligence-led investigations and solutions. We provide technical expertise, training, and advice to organisations to enhance their cyber resilience. When digital crises such as ransomware, fraud, and online threats arise, our incident response and recovery retainers ensure organisations can respond effectively. If you have any questions, or believe you have been targeted by a malware attack, get in touch regarding further information, please contact info@tyburn-str.com.