![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[FREE EBOOKS] Modern Generative AI with ChatGPT and OpenAI Models, Offensive Security Using Python & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![How to make Developer Friends When You Don't Live in Silicon Valley, with Iraqi Engineer Code;Life [Podcast #172]](https://cdn.hashnode.com/res/hashnode/image/upload/v1747360508340/f07040cd-3eeb-443c-b4fb-370f6a4a14da.png?#)
![[Virtual Event] Strategic Security for the Modern Enterprise](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt55e4e7e277520090/653a745a0e92cc040a3e9d7e/Dark_Reading_Logo_VirtualEvent_4C.png?width=1280&auto=webp&quality=80&disable=upscale#){kind=logo}
-xl-(1)-xl-xl.jpg)
![How to upgrade the M4 Mac mini SSD and save hundreds [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/M4-Mac-mini-SSD-Upgrade-Tutorial-2TB.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![iPhone 17 Air Could Get a Boost From TDK's New Silicon Battery Tech [Report]](https://www.iclarified.com/images/news/97344/97344/97344-640.jpg)
![Vision Pro Owners Say They Regret $3,500 Purchase [WSJ]](https://www.iclarified.com/images/news/97347/97347/97347-640.jpg)
![Apple Showcases 'Magnifier on Mac' and 'Music Haptics' Accessibility Features [Video]](https://www.iclarified.com/images/news/97343/97343/97343-640.jpg)
![Sony WH-1000XM6 Unveiled With Smarter Noise Canceling and Studio-Tuned Sound [Video]](https://www.iclarified.com/images/news/97341/97341/97341-640.jpg)
New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials
FrigidStealer, a sophisticated information-stealing malware that emerged in January 2025, is actively targeting macOS endpoints to steal sensitive user data through deceptive tactics. Unlike traditional malware, FrigidStealer exploits user trust in routine software updates, making it particularly insidious. The malware has raised significant concerns among cybersecurity experts due to its ability to bypass standard security […] The post New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials appeared first on Cyber Security News.
FrigidStealer, a sophisticated information-stealing malware that emerged in January 2025, is actively targeting macOS endpoints to steal sensitive user data through deceptive tactics.
Unlike traditional malware, FrigidStealer exploits user trust in routine software updates, making it particularly insidious.
The malware has raised significant concerns among cybersecurity experts due to its ability to bypass standard security measures while harvesting valuable personal information from unsuspecting users.
The attack vector relies on social engineering techniques, specifically distributing malicious code via fake browser update pages hosted on compromised websites.
Users are tricked into downloading a malicious disk image file (DMG) that requires manual execution.
Once initiated, the malware bypasses macOS Gatekeeper protections by cleverly prompting users to enter their password via AppleScript, granting it elevated privileges on the system.
Wazuh analysts identified the malware’s sophisticated operational mechanics during their recent investigation of emerging threats to macOS environments.
Their research revealed that FrigidStealer’s financial motivations are potentially linked to the notorious EvilCorp syndicate, underscoring its serious threat to both individual users and enterprises.
The stolen data includes credentials and cryptocurrency wallets, posing significant risks of identity theft and financial fraud.
Upon execution, the malware registers itself as an application named “ddaolimaki-daunito” on the macOS endpoint, with the executable path typically located at “Volumes/Safari Updater/Safari Updater.app.”
This deceptive naming convention further enhances its ability to remain undetected by casual users who might mistake it for legitimate software components.
Persistence Mechanism and Data Exfiltration
FrigidStealer establishes persistence through sophisticated techniques that ensure it remains operational across system restarts.
The malware leverages launchservicesd as a foreground application with bundle ID “com.wails.ddaolimaki-daunito” to maintain its presence on infected systems.
This persistence strategy is particularly effective as it mimics legitimate system processes.
The data exfiltration process involves using Apple Events for unauthorized inter-process communication to target sensitive information.
This technique allows the malware to access browser credentials, filesystem data, and system configuration details without triggering standard security alerts.
A sample of the malware’s execution can be detected through the following command pattern:-
# Detection of FrigidStealer DNS exfiltration
macOS_mDNSResponder
(?i)(DNSServiceQueryRecord).*mask\.hash: '(\S+)'.*pid:(\d+).*\((.+)\)
program_type,hash,pid,process_nameAfter successfully harvesting credentials and other valuable data, FrigidStealer exfiltrates the stolen information to command-and-control servers through DNS data exfiltration via the mDNSResponder process.
This technique is particularly insidious as it disguises malicious traffic as legitimate DNS queries, making detection challenging through conventional network monitoring tools.
Following successful exfiltration, the malware terminates its main process to eliminate traces of its operation, further complicating forensic analysis.
As this threat continues to evolve, cybersecurity experts recommend implementing comprehensive endpoint protection specifically designed for macOS environments, maintaining vigilance regarding software update prompts, and utilizing specialized detection tools like Wazuh that can identify the unique behavioral patterns associated with FrigidStealer infections.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The post New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials appeared first on Cyber Security News.
