FlexibleFerret Malware Chain Targets macOS with Go Backdoor

First reported

25.11.2025 15:45

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new macOS malware campaign, attributed to FlexibleFerret, uses staged scripts, credential-harvesting decoys, and a persistent Go-based backdoor to bypass user safeguards and maintain long-term access. The malware chain includes a second-stage shell script that fetches payloads based on the system architecture, establishes persistence via a LaunchAgent, and uses a decoy application to steal credentials. The Go-based backdoor, named CDrivers, collects system information, executes shell commands, and exfiltrates data via Dropbox. The campaign demonstrates sophisticated techniques to avoid detection, including assembling Dropbox host strings from fragments and querying api.ipify.org to capture victim IP addresses. Organizations are advised to treat unsolicited Terminal-based instructions as high-risk.

Timeline

25.11.2025 15:45 1 articles · 23h ago

FlexibleFerret Malware Chain Targets macOS with Go Backdoor
A new macOS malware campaign, attributed to FlexibleFerret, uses staged scripts, credential-harvesting decoys, and a persistent Go-based backdoor to bypass user safeguards and maintain long-term access. The malware chain includes a second-stage shell script that fetches payloads based on system architecture, establishes persistence via a LaunchAgent, and uses a decoy application to steal credentials. The Go-based backdoor, CDrivers, collects system information, executes shell commands, and exfiltrates data via Dropbox.
Show sources

New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
Open in new tab

Information Snippets

The malware chain uses a second-stage shell script to fetch payloads based on system architecture (arm64 or Intel).
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
The script establishes persistence by writing a LaunchAgent to run the loader at login.
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
The decoy application imitates Chrome permission prompts to steal credentials, routing them to a Dropbox account.
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
The Go-based backdoor, CDrivers, generates a machine identifier, connects to a command server, and handles tasks like collecting system information and executing shell commands.
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
The malware uses api.ipify.org to capture the victim’s public IP address.
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
FlexibleFerret operators continue to refine lures to convince targets to run scripts manually.
First reported: 25.11.2025 15:45

1 source, 1 article
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45