A thorough static and dynamic analysis has led to the identification of a macOS malware called DriverFixer0428 , classified as a credential stealer and attributed with a medium-high confidence level to the North Korean campaign known as “Contagious Interview” . The sample presents itself as a supposed system utility, designed to trick the user into trusting and interacting with the application.
The malware’s primary behavior is to collect macOS login credentials. To achieve this, DriverFixer0428 uses artificial dialog boxes that faithfully reproduce operating system security prompts and Google Chrome permission requests, leveraging social engineering techniques. The entered credentials are then sent to attacker-controlled infrastructures via the Dropbox cloud storage API.
The sample’s name is derived from internal references present in the analyzed binary. Static analysis revealed identifiers such as DriverFixer0428 , OverlayWindowController , and references to Swift files, suggesting an application structure consistent with a legitimate project. The “0428” suffix is interpreted as a possible reference to the malware’s compilation date, April 28, or to an internal version number used by the threat’s developers.
From a technical point of view, the analyzed sample corresponds to a universal Mach-O binary , compatible with x86_64 and ARM64 architectures, written in Swift and based on AppKit . The file is approximately 235 KB in size, uses the package identifier chrome.DriverFixer0428 and is associated with the source path DriverFixer0428/ViewController.swift . The SHA-256 hash of the sample is 9aef4651925a752f580b7be005d91bfb1f9f5dd806c99e10b17aa2e06bf4f7b5 .
The attribution to North Korea is based on a correlation of techniques, tactics, and procedures with previously publicly documented campaigns. Although the specific hash is not present in major threat intelligence databases, operational similarities link the sample to the FlexibleFerret, FrostyFerret, ChromeUpdate, and CameraAccess families, all associated with the same threat activity. Notably, the network infrastructure matches that described by SentinelOne in February 2025.
Observed network communications include contacting api.ipify.org to determine the compromised system’s public IP address and using Dropbox APIs to manage OAuth tokens and upload exfiltrated data. This allows the malware to disguise malicious traffic as legitimate cloud services, reducing the likelihood of detection by network-based security controls.
Dynamic analysis using the LLDB debugger revealed a complex sandbox evasion system. DriverFixer0428 performs runtime checks to detect virtualized environments by querying system APIs such as sysctlbyname , the IOKit registry, and the NSScreen API. If a virtual machine or analysis environment is present, the malware avoids activating the payload and remains in an idle execution state.
This “silent failure” behavior explains the discrepancy between the results of the static analysis, which clearly indicate malicious activity, and the relatively low scores obtained in the automated sandboxes, where the sample is classified as likely benign. According to analysts, this operational capability reflects a level of maturity consistent with state-sponsored actors and confirms the limitations of automated detection tools in countering advanced threats.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
