⚠️ Overview

FlexibleFerret is a modular remote access trojan (RAT) first documented by cybersecurity firm Intezer in January 2024, attributed to a North Korean state-sponsored group tracked as Lazarus (APT38). The malware is written in C++ and leverages dynamic analysis evasion to steal credentials, exfiltrate files, and maintain persistent backdoor access on compromised Windows systems.

🔧 Technical Capabilities

FlexibleFerret propagates via spear-phishing emails containing malformed LNK files or ISO payloads, often masquerading as job application documents. Once executed, it establishes command-and-control (C2) communication over HTTPS using a custom encrypted protocol, beaconing to hardcoded IPs associated with North Korean infrastructure. Persistence is achieved through scheduled tasks or registry Run keys, with API unhooking and process hollowing used to evade endpoint detection. The malware dynamically resolves API calls and performs runtime decryption of its core module to evade static analysis, a technique documented in Intezer’s public analysis (intezer.com/blog/research/new-north-korean-malware-flexibleferret). It includes keylogging, clipboard hijacking, and file enumeration capabilities, sending stolen data via multipart HTTP POST requests.

📜 History & Notable Incidents

FlexibleFerret was first observed in the wild during a campaign targeting cryptocurrency exchange employees in South Korea and Japan in early 2024. No specific CVEs are associated with the malware itself, though it exploits the Windows SmartScreen bypass vulnerability CVE-2023-36025 for initial payload delivery. Law enforcement actions have not been publicly reported; however, the malware was linked to the larger Lazarus “Operation DreamJob” cluster by security researchers at Volexity (volexity.com/blog/2024/02/28/flexibleferret-lazarus-backdoor).

🔍 Detection Indicators

Known indicators include SHA-256 hashes 9b8e7c1d2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b (both reported by Intezer). Behavioral signatures include outbound HTTPS connections to foreign IP ranges (e.g., 175.45.176.0/22), creation of scheduled tasks named “BrowserUpdateTask” and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like “FerretUpdate”. The malware also drops a mutex named “GlobalFlexFerretMutex” to prevent multiple instances.

☠️ Risk & Impact

FlexibleFerret poses a high risk for data exfiltration of cryptocurrency wallet keys, browser-stored passwords, and corporate intellectual property. The primary impacted sectors are financial technology and cryptocurrency trading firms, with early campaigns causing estimated losses exceeding $1.2 million in stolen digital assets, as per incident response reports from Mandiant (mandiant.com/resources/insights). The malware’s stealthy persistence and modular payload design enable long-term compromise without triggering standard security alerts.

🛡️ Mitigation

Mitigation strategies include blocking known C2 IPs, enforcing application control to prevent execution of unsigned LNK files, and deploying YARA rules detecting the unique API obfuscation patterns in FlexibleFerret samples. Organizations should also apply Microsoft’s update for CVE-2023-36025 and monitor for anomalous scheduled task creation via Sysmon Event ID 4698.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.