FrigidStealer Malware Hits macOS Users via Fake Safari Browser Updates

FrigidStealer malware targets macOS users via fake browser updates, stealing passwords, crypto wallets, and notes using DNS-based data theft methods.

A known strain of macOS malware known as FrigidStealer is targeting Apple users through convincing fake browser update prompts. First spotted in February 2025, and reported by Hackread.com, this variant is part of the Ferret malware family and has already impacted users across North America, Europe, and Asia.

The malware strain has been linked to TA2726 and TA2727, both known for using fake browser updates as an attack vector. It has also been connected to a surge in infections across public-facing industries, particularly retail and hospitality.

The malware operates by tricking users into downloading a disk image file (DMG) disguised as a Safari update. Once the file is installed, it bypasses Apple’s Gatekeeper protections by prompting the user to enter their password, exploiting built-in AppleScript functionality. The malware then installs a malicious app with the bundle ID com.wails.ddaolimaki-daunito, which helps it blend in with legitimate applications.

Once active, FrigidStealer begins collecting sensitive data, including browser credentials, system files, cryptocurrency wallet information, and even Apple Notes. This data is then exfiltrated to a command-and-control server through DNS queries that are routed via macOS’s mDNSResponder. After stealing and sending the data, the malware terminates its own process to reduce the chances of detection.

According to Wazuh, an open-source cybersecurity firm that identified FrigidStealer and shared its technical report with Hackread.com, noted that this malware doesn’t rely on traditional exploit kits or vulnerabilities. Instead, it takes advantage of user trust in system notifications and browser update prompts. This approach makes it more dangerous, as it requires less technical sophistication on the attacker’s part while still being highly effective.

What sets FrigidStealer apart is its use of macOS-specific behaviours to remain persistent. It registers itself as a foreground application via launchservicesd, interacts with the system through unauthorized Apple Events communication, and deletes traces of itself post-execution. Logs from Apple’s Unified Logging System (ULS) show that the malware uses legitimate process names and services to stay hidden.

If you’re on macOS, keep in mind that attackers are getting smarter about how they trick people. They’re combining clever scams with knowledge of how the system works to sneak past standard security. Even with protection in place, the first step of the attack often comes down to someone clicking a link or trusting a fake update prompt.

Therefore, users are urged to avoid installing software updates from unexpected prompts or third-party sites. Updates should always come directly from official sources such as the Mac App Store or the system’s own Software Update tool.