North Korean Social Engineering targeting macOS

Written By David Vineyard

Targeted Sectors

Individuals and organizations globally, likely defense, technology, and government sectors due to the nature of APT targeting.

Countries

·         Global

BLUF

North Korean threat actors are running a sophisticated social engineering campaign using fake job recruitment websites to trick users into downloading new macOS malware variants, including a sample named FlexibleFerret.

Date of First Reported Activity

·         December 1, 2025

Date of Last Reported Activity Update

·         December 9, 2025

APT Names

·         Lazarus Group aka:

o   \APT38

o   Guardians of Peace

o   Zinc

·         Potentially other North Korean operators.

Associated Criminal Organization Names

·         None known

Malware Names

FlexibleFerret (macOS variant)

Malware Sample URL

FlexibleFerret

sha256

3c40e0d3b6ffe278111626ff568c7649ee5226e6d4b0256c8f3522199a835d42

URL to sample

·         hxxps://bazaar.abuse.ch/sample/3c40e0d3b6ffe278111626ff568c7649ee5226e6d4b0256c8f3522199a835d42

Stage One JavaScript Stager Hash

Sha256

14a56d6381c1ee8e0561da1fbdb895e6ba70578245fc43177f0b4635a155ee84

URL to Sample

·         hxxps://www.virustotal.com/gui/file/14a56d6381c1ee8e0561da1fbdb895e6ba70578245fc43177f0b4635a155ee84

 

CVEs & CVSS

·         Not applicable

o   The initial delivery is social engineering/user execution.

Nessus ID

·         Not applicable

IOCs

Domains used

·         tidymeapp[.]io

·         tidyme[.]app.

Malicious files hosted on Dropbox

Cryptocurrency wallet addresses used by actors (for blockchain analysis).

TTPs

·         T1566.001: Phishing: Spearphishing Attachment/Link: Using fraudulent job offers to induce malware download.

·         T1078: Valid Accounts: Goal of stealing credentials via infostealers and clippers.

·         T1105: Ingress Tool Transfer: Hosting malware samples on legitimate services like Dropbox.

Suggested Rules / Potential Hunts

Suggested Suricata Rules

Alert on network connections to the domains tidymeapp[.]io and tidyme[.]app.

Monitor for HTTP traffic to known Dropbox URLs followed immediately by the execution of a new process.

Suggested Sentinel Rules

Monitor macOS system logs for unexpected application installations or script executions initiated by web browser activity (e.g., download folders).

Suggested Splunk Hunts

index=web (url="*tidymeapp.io*" OR url="*tidyme.app*")

Hunt for the execution of downloaded files from suspicious source domains.

Delivery Method

·         Social engineering via malicious websites and fraudulent job offers, leading to user-executed malware downloads.

Email Samples

·         Phishing emails with links to the malicious recruitment sites.

References

MalwareBazaar

·         hxxps://bazaar.abuse.ch/sample/3c40e0d3b6ffe278111626ff568c7649ee5226e6d4b0256c8f3522199a835d42

VirusTotal

·         hxxps://www.virustotal.com/gui/file/14a56d6381c1ee8e0561da1fbdb895e6ba70578245fc43177f0b4635a155ee84

Cyberproof

·         hxxps://www.cyberproof.com/threatalerts/

SecureList

·         hxxps://securelist.com/tusk-infostealers-campaign/113367/

SOCRadar

·         hxxps://socradar.io/labs/campaigns/

David Vineyard
Previous

Array Networks ArrayOS AG Exploitation CVE-2025-66644
Next

Rapid ShadowPad Deployment via WSUS Vulnerability