FrigidStealer malware targets macOS customers through pretend browser updates, stealing passwords, crypto wallets, and notes utilizing DNS-based knowledge theft strategies.
A identified pressure of macOS malware often known as FrigidStealer is focusing on Apple customers via convincing pretend browser replace prompts. First noticed in February 2025, and reported by Hackread.com, this variant is a part of the Ferret malware household and has already impacted customers throughout North America, Europe, and Asia.
The malware pressure has been linked to TA2726 and TA2727, each identified for utilizing pretend browser updates as an assault vector. It has additionally been linked to a surge in infections throughout public-facing industries, significantly retail and hospitality.
The malware operates by tricking customers into downloading a disk picture file (DMG) disguised as a Safari replace. As soon as the file is put in, it bypasses Apple’s Gatekeeper protections by prompting the consumer to enter their password, exploiting built-in AppleScript performance. The malware then installs a malicious app with the bundle ID com.wails.ddaolimaki-daunito, which helps it mix in with authentic functions.
As soon as lively, FrigidStealer begins accumulating delicate knowledge, together with browser credentials, system information, cryptocurrency pockets data, and even Apple Notes. This knowledge is then exfiltrated to a command-and-control server via DNS queries which can be routed through macOS’s mDNSResponder. After stealing and sending the information, the malware terminates its personal course of to cut back the probabilities of detection.
In response to Wazuh, an open-source cybersecurity agency that recognized FrigidStealer and shared its technical report with Hackread.com, famous that this malware doesn’t depend on conventional exploit kits or vulnerabilities. As an alternative, it takes benefit of consumer belief in system notifications and browser replace prompts. This method makes it extra harmful, because it requires much less technical sophistication on the attacker’s half whereas nonetheless being extremely efficient.
What units FrigidStealer aside is its use of macOS-specific behaviours to stay persistent. It registers itself as a foreground utility through launchservicesd, interacts with the system via unauthorized Apple Occasions communication, and deletes traces of itself post-execution. Logs from Apple’s Unified Logging System (ULS) present that the malware makes use of authentic course of names and companies to remain hidden.
For those who’re on macOS, take into account that attackers are getting smarter about how they trick folks. They’re combining intelligent scams with information of how the system works to sneak previous customary safety. Even with safety in place, step one of the assault usually comes all the way down to somebody clicking a hyperlink or trusting a pretend replace immediate.
Subsequently, customers are urged to keep away from putting in software program updates from sudden prompts or third-party websites. Updates ought to at all times come immediately from official sources such because the Mac App Retailer or the system’s personal Software program Replace device.
