Frigidstealer Malware Hits Macos Users Via Fake Safari Browser Updates

FrigidStealer malware targets macOS users via clone browser updates, stealing passwords, crypto wallets, and notes utilizing DNS-based information theft methods.

A known strain of macOS malware known arsenic FrigidStealer is targeting Apple users done convincing clone browser update prompts. First spotted successful February 2025, and reported by Hackread.com, this version is portion of nan Ferret malware family and has already impacted users crossed North America, Europe, and Asia.

The malware strain has been linked to TA2726 and TA2727, some known for utilizing clone browser updates arsenic an onslaught vector. It has besides been connected to a surge successful infections crossed public-facing industries, peculiarly unit and hospitality.

The malware operates by tricking users into downloading a disk image record (DMG) disguised arsenic a Safari update. Once nan record is installed, it bypasses Apple’s Gatekeeper protections by prompting nan personification to participate their password, exploiting built-in AppleScript functionality. The malware past installs a malicious app pinch nan bundle ID com.wails.ddaolimaki-daunito, which helps it blend successful pinch morganatic applications.

Once active, FrigidStealer originates collecting delicate data, including browser credentials, strategy files, cryptocurrency wallet information, and moreover Apple Notes. This information is past exfiltrated to a command-and-control server done DNS queries that are routed via macOS’s mDNSResponder. After stealing and sending nan data, nan malware terminates its ain process to trim nan chances of detection.

According to Wazuh, an open-source cybersecurity patient that identified FrigidStealer and shared its technical report pinch Hackread.com, noted that this malware doesn’t trust connected accepted utilization kits aliases vulnerabilities. Instead, it takes advantage of personification spot successful strategy notifications and browser update prompts. This attack makes it much dangerous, arsenic it requires little method sophistication connected nan attacker’s portion while still being highly effective.

What sets FrigidStealer isolated is its usage of macOS-specific behaviours to stay persistent. It registers itself arsenic a foreground exertion via launchservicesd, interacts pinch nan strategy done unauthorized Apple Events communication, and deletes traces of itself post-execution. Logs from Apple’s Unified Logging System (ULS) show that nan malware uses morganatic process names and services to enactment hidden.

If you’re connected macOS, support successful mind that attackers are getting smarter astir really they instrumentality people. They’re combining clever scams pinch knowledge of really nan strategy useful to sneak past modular security. Even pinch protection successful place, nan first measurement of nan onslaught often comes down to personification clicking a nexus aliases trusting a fake update prompt.

Therefore, users are urged to debar installing package updates from unexpected prompts aliases third-party sites. Updates should ever travel straight from charismatic sources specified arsenic nan Mac App Store aliases nan system’s ain Software Update tool.