FrigidStealer, a complicated information-stealing malware that emerged in January 2025, is actively concentrating on macOS endpoints to steal delicate person information by misleading ways.
In contrast to conventional malware, FrigidStealer exploits person belief in routine software program updates, making it significantly insidious.
The malware has raised important issues amongst cybersecurity consultants as a result of its means to bypass normal safety measures whereas harvesting useful private info from unsuspecting customers.
The assault vector depends on social engineering strategies, particularly distributing malicious code through faux browser replace pages hosted on compromised web sites.
Customers are tricked into downloading a malicious disk picture file (DMG) that requires guide execution.
As soon as initiated, the malware bypasses macOS Gatekeeper protections by cleverly prompting customers to enter their password through AppleScript, granting it elevated privileges on the system.
Wazuh analysts recognized the malware’s subtle operational mechanics throughout their current investigation of rising threats to macOS environments.
Their analysis revealed that FrigidStealer’s monetary motivations are probably linked to the infamous EvilCorp syndicate, underscoring its critical risk to each particular person customers and enterprises.
The stolen information contains credentials and cryptocurrency wallets, posing important dangers of id theft and monetary fraud.
Upon execution, the malware registers itself as an utility named “ddaolimaki-daunito” on the macOS endpoint, with the executable path usually positioned at “Volumes/Safari Updater/Safari Updater.app.”
This misleading naming conference additional enhances its means to stay undetected by informal customers who would possibly mistake it for legit software program elements.
Persistence Mechanism and Knowledge Exfiltration
FrigidStealer establishes persistence by subtle strategies that guarantee it stays operational throughout system restarts.
The malware leverages launchservicesd as a foreground utility with bundle ID “com.wails.ddaolimaki-daunito” to keep up its presence on contaminated programs.
This persistence technique is especially efficient because it mimics legit system processes.
The information exfiltration course of entails utilizing Apple Occasions for unauthorized inter-process communication to focus on delicate info.
This method permits the malware to entry browser credentials, filesystem information, and system configuration particulars with out triggering normal safety alerts.
A pattern of the malware’s execution might be detected by the next command sample:-
# Detection of FrigidStealer DNS exfiltration
macOS_mDNSResponder
(?i)(DNSServiceQueryRecord).*masks.hash: ‘(S+)’.*pid:(d+).*((.+))
program_type,hash,pid,process_name
After efficiently harvesting credentials and different useful information, FrigidStealer exfiltrates the stolen info to command-and-control servers by DNS information exfiltration through the mDNSResponder course of.
This method is especially insidious because it disguises malicious visitors as legit DNS queries, making detection difficult by typical community monitoring instruments.
Following profitable exfiltration, the malware terminates its predominant course of to get rid of traces of its operation, additional complicating forensic evaluation.
As this risk continues to evolve, cybersecurity consultants advocate implementing complete endpoint safety particularly designed for macOS environments, sustaining vigilance relating to software program replace prompts, and using specialised detection instruments like Wazuh that may establish the distinctive behavioral patterns related to FrigidStealer infections.
How SOC Groups Save Time and Effort with ANY.RUN – Dwell webinar for SOC groups and managers
