A new macOS malware chain that uses staged scripts, credential-harvesting decoys and a persistent Go-based backdoor has been observed to bypass user safeguards, disguise its activity and maintain long-term access to compromised systems.
According to a new advisory from Jamf Threat Labs, the campaign includes a second-stage shell script that reconstructs a download path and fetches different payloads based on whether a system runs on arm64 or Intel chips.
The cybersecurity researchers noted the script retrieved an archive containing the next-stage loader, unpacked it into a temporary directory, then launched the component in the background.
It also established persistence by writing a LaunchAgent that forced the loader to run at login. Jamf said the script then opened a decoy application that imitated Chrome permission prompts and ultimately displayed a Chrome-style password window designed to steal credentials.
The decoy routed stolen passwords to a Dropbox account. To avoid detection, the malware assembled the Dropbox host from small string fragments, then used the legitimate Dropbox upload API for exfiltration. It also queried api.ipify.org to capture the victim’s public IP address.
The Role of the Go-Based Backdoor
Once the third stage began, the loader script invoked a malicious Golang project named CDrivers. This backdoor generated a short machine identifier, checked for duplicates, then connected to a hard-coded command server. From there, it entered a persistent command loop that handled tasks such as:
-
Collecting system information
-
Uploading or downloading files
-
Executing shell commands
-
Extracting Chrome profile data
-
Triggering automated credential theft
If an error occurred, the malware fell back to a system-information command and paused for five minutes before resuming activity, preventing single failures from stopping the operation.
Jamf attributed the campaign to FlexibleFerret operators, who continue to refine lures designed to convince targets to run scripts manually.
“Organizations should treat unsolicited ‘interview’ assessments and Terminal-based ‘fix’ instructions as high-risk, and ensure users know to stop and report these prompts rather than follow them,” the researchers concluded.