FlexibleFerret operators' macOS manual-script lure campaign
Campaign
Summary
Hide ▲
Show ▼
FlexibleFerret operators are refining a macOS social-engineering campaign that uses interview and Terminal-based pretexts to trick targets into running scripts manually. The shift matters because the lure chain is designed to bypass user safeguards and enable follow-on compromise on victim systems.
Related Happenings
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
H score42
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware Activity
H score32
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware ActivityAbout this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
Latest development: 10.05.2026 20:52
A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.
Timeline
-
25.11.2025 15:45 2 articles · 7mo ago
FlexibleFerret macOS malware chain with Go backdoor and credential decoy
Initial DisclosureA macOS malware chain associated with FlexibleFerret uses staged scripts, a second-stage shell script that selects payloads for arm64 or Intel systems, a LaunchAgent for persistence, a Chrome-style password prompt to steal credentials, Dropbox upload API exfiltration, and a malicious Go-based backdoor named CDrivers for system information collection, file transfer, shell execution, and Chrome profile data theft.
Show sources
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45
- New FlexibleFerret Malware Chain Targets macOS With Go Backdoor — www.infosecurity-magazine.com — 25.11.2025 15:45