A cybersecurity campaign has been identified in which threat actors used fraudulent job postings on LinkedIn to distribute malware targeting Apple’s macOS. The campaign specifically aimed to deceive job seekers into downloading and installing a malicious software known as Flexible Ferret.

Attackers leveraged the professional networking platform by creating fake job listings that appeared to be from legitimate companies. These postings were crafted to attract individuals actively searching for new employment opportunities. The primary goal of this initial phase was to establish contact with potential victims and persuade them to move to the next stage of a counterfeit application process.

Attack Vector: Deceptive Recruitment Process

The distribution method for the Flexible Ferret malware involved social engineering. After a user expressed interest in a fraudulent job listing, the attackers would direct them to download a file. This file was presented as a necessary component of the job application, such as a questionnaire, a skills assessment test, or a preliminary project description. The file was designed to look harmless, convincing the target that they were proceeding with a legitimate job application. The attack specifically targeted users operating on Mac computer systems.

Malware Deployment on macOS

Upon downloading and opening the deceptive file, the user would inadvertently execute the installer for the Flexible Ferret malware. The malicious software was developed to operate on the macOS platform. The infection of the system occurred once the user engaged with the file, initiating the malware’s installation sequence. The campaign’s success relied on the user’s trust in the recruitment process initiated through the LinkedIn platform.

Source: https://www.malwarebytes.com/blog/news/2025/11/fake-linkedin-jobs-trick-mac-users-into-downloading-flexible-ferret-malware