Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable threat since January 2025.

This insidious malware capitalizes on user trust by masquerading as routine browser updates, luring unsuspecting individuals into downloading a malicious disk image file (DMG) from compromised websites.

Unlike conventional malware, FrigidStealer bypasses macOS Gatekeeper protections by coercing users to manually execute the file and input their passwords via deceptive AppleScript prompts.

Once installed, it targets a wide array of sensitive data, including browser credentials, cryptocurrency wallets, and system information, posing severe risks of identity theft and financial fraud.

Experts suggest potential links to the notorious EvilCorp syndicate, highlighting the malware’s financial motivations and its dual threat to individual users and enterprises.

Threat Exploiting Trust in Software Updates

FrigidStealer operates with alarming sophistication, registering itself as an application named “ddaolimaki-daunito” on macOS endpoints, with its executable path traced to “Volumes/Safari Updater/Safari Updater.app.”

It establishes persistence through launchservicesd as a foreground application under the bundle ID “com.wails.ddaolimaki-daunito,” ensuring it remains active across system reboots.

The malware employs Apple Events for unauthorized inter-process communication to harvest data and exfiltrates stolen information to command-and-control (C2) servers using DNS data tunneling via mDNSResponder.

Post-exfiltration, it terminates its processes to evade detection, further complicating mitigation efforts.

To counter this threat, cybersecurity professionals can leverage Wazuh, an open-source SIEM and XDR platform, for detection.

According to the Report, Configuring the Wazuh agent on macOS endpoints to use the Unified Logging System (ULS) to monitor system logs and setting up custom decoders and rules on the Wazuh server allows for the real-time flagging of suspicious activity, including process registration, DNS queries, and attempts at data exfiltration.

Technical Intricacies

Alerts generated through tailored rules, like those detecting the malware’s bundle ID or Apple Events usage, can be visualized on the Wazuh dashboard under the Threat Hunting module, enabling swift incident response.

The configuration involves intricate steps, such as defining specific log queries in the Wazuh agent’s ossec.conf file to track processes tied to FrigidStealer and crafting regex-based decoders to parse relevant log events, ensuring comprehensive monitoring of malicious behavior.

This malware underscores a critical need for enhanced security measures on macOS systems, often perceived as less vulnerable to such threats.

FrigidStealer’s reliance on social engineering to bypass built-in protections like Gatekeeper reveals a dangerous evolution in attack methodologies.

As cyber threats grow more deceptive, users must exercise caution with unsolicited update prompts, and organizations should prioritize endpoint monitoring and employee awareness to combat such stealthy adversaries.

With tools like Wazuh providing actionable detection capabilities, the battle against FrigidStealer is winnable, but it demands vigilance and proactive defense to safeguard sensitive data from falling into the wrong hands.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!