A new malware called FrigidStealer has been discovered targeting macOS users since January 2025. This malware steals sensitive information by tricking users into downloading fake software updates. Unlike traditional malware, FrigidStealer exploits users’ trust in routine update prompts, making it especially dangerous.
The malware spreads through social engineering. It appears as a fake browser update page hosted on compromised websites. Users are deceived into downloading a malicious disk image file (DMG) that they must open manually. Once run, FrigidStealer bypasses macOS security tools like Gatekeeper by using AppleScript to prompt users for their system password. This grants the malware elevated privileges on the infected device.
After installation, FrigidStealer registers itself as an app named “ddaolimaki-daunito”, typically found at Volumes/Safari Updater/Safari Updater.app. This name mimics legitimate software, helping it avoid detection. The malware then establishes persistence by running as a foreground application through the launchservicesd process with the bundle ID com.wails.ddaolimaki-daunito. This method allows it to stay active even after system restarts.
FrigidStealer collects a wide range of sensitive data, including browser credentials, cryptocurrency wallet information, Apple Notes, and system files. It uses Apple Events for unauthorized communication between processes to access this data without triggering typical security alerts.
The stolen information is sent to command-and-control servers using a covert DNS exfiltration technique via the macOS mDNSResponder process. This disguises malicious traffic as normal DNS queries, making it difficult for network defenses to detect. After successfully stealing data, the malware terminates its main process to erase traces and avoid forensic analysis.
Cybersecurity researchers from Wazuh and Proofpoint have linked FrigidStealer to the financially motivated cybercrime syndicate EvilCorp. The malware’s sophisticated design and financial goals pose serious risks to both individual users and businesses.
Experts warn macOS users to be cautious of unexpected software update prompts and to only install updates from official sources like the Mac App Store or the system’s built-in Software Update tool. They also recommend using advanced endpoint protection and detection tools capable of identifying FrigidStealer’s unique behaviors.
Key Points to Protect Yourself
- Avoid clicking on suspicious update prompts from websites.
- Only download software updates from official Apple sources.
- Use security solutions that monitor for unusual app behavior and DNS traffic.
- Stay informed about emerging macOS threats and cybersecurity best practices.
As FrigidStealer continues to evolve, vigilance and proper security measures remain the best defense against this growing threat to macOS users worldwide.
