Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FlexibleFerret operators' macOS manual-script lure campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

FlexibleFerret operators are refining a macOS social-engineering campaign that uses interview and Terminal-based pretexts to trick targets into running scripts manually. The shift matters because the lure chain is designed to bypass user safeguards and enable follow-on compromise on victim systems.

Related Happenings

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

Open Happening

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...

Latest development: 10.05.2026 20:52

A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

Open Happening

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First: 11.02.2026 08:50 Last: 11.02.2026 08:50 Sources 1

About this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...

Open Happening

PeckBirdy JScript C2 framework used across multiple environments since 2023

Malware Activity
First: 27.01.2026 11:01 Last: 27.01.2026 11:01 Sources 1

About this happening: Since **2023**, the **PeckBirdy** **JScript-based C2 framework** has been used by **China-aligned APT actors** to reach **multiple environments**, giving them flexible delivery an...

Open Happening

Timeline

  1. 25.11.2025 15:45 2 articles · 6mo ago

    FlexibleFerret macOS malware chain with Go backdoor and credential decoy

    Initial Disclosure

    A macOS malware chain associated with FlexibleFerret uses staged scripts, a second-stage shell script that selects payloads for arm64 or Intel systems, a LaunchAgent for persistence, a Chrome-style password prompt to steal credentials, Dropbox upload API exfiltration, and a malicious Go-based backdoor named CDrivers for system information collection, file transfer, shell execution, and Chrome profile data theft.

    Show sources
    Open in new tab