FERRET

Ferret is a malware family observed from late 2024 and active in campaigns through 2025, primarily targeting macOS users. It has been linked to the North Korean "Contagious Interview" campaign, in which operators use fake job interview or recruitment lures to target software developers, IT professionals, and especially blockchain and cryptocurrency personnel. Researchers reported that Ferret family loaders were distributed through fraudulent online job interview invitations, and past versions delivered both a backdoor and a crypto stealer. Vendors tracking the campaign described the operators as continually evolving their tooling alongside other malware such as BeaverTail.

The Ferret family has also been associated with macOS-focused theft activity. A known strain, FrigidStealer, was first spotted in February 2025 and is described as part of the Ferret malware family. FrigidStealer was delivered via fake browser update prompts, including DMG files disguised as Safari updates, and impacted users across North America, Europe, and Asia. It has been linked to activity clusters TA2726 and TA2727 and to infections in public-facing industries, particularly retail and hospitality. Reported capabilities include theft of browser credentials, system files, cryptocurrency wallet data, and Apple Notes. It exfiltrates data via DNS queries routed through macOS mDNSResponder, installs a malicious app with bundle ID com.wails.ddaolimaki-daunito, uses AppleScript and unauthorized Apple Events, registers as a foreground application via launchservicesd, deletes traces after execution, and terminates itself after exfiltration to reduce detection.

Across reporting, Ferret is consistently characterized as a macOS threat family used in social-engineering-driven intrusion chains and credential or data theft operations, with some reporting noting possible data exfiltration or credential theft against organizations.