FrigidStealer
FrigidStealer is a macOS information-stealing malware strain, described in the content as part of the Ferret malware family, first reported in February 2025. It is distributed through fake browser or software update prompts embedded in legitimate or compromised websites, including DMG files disguised as Safari updates, and uses social engineering rather than exploits or exploit kits. The lures can be tailored to the victim’s browser, and the installation flow includes instructions that help users bypass macOS Gatekeeper protections, including password prompts and AppleScript-assisted execution. After execution, a Mach-O payload installs the malware; one reported malicious app used the bundle ID com.wails.ddaolimaki-daunito.
Its primary capabilities are credential and data theft from macOS systems. Reported targets include browser cookies, session cookies, stored passwords/browser credentials, cryptocurrency-related files and wallet data, system files, and Apple Notes. The malware has also been described as focusing on browser credentials and session cookies specifically. Exfiltration has been reported via DNS queries routed through macOS mDNSResponder. Additional reported behaviors include registering as a foreground application via launchservicesd, interacting through unauthorized Apple Events, deleting traces of itself after execution, and terminating its own process after exfiltration to reduce detection. Logs from Apple’s Unified Logging System reportedly show use of legitimate process names and services to blend in.
The activity has been linked to threat actors TA2726 and TA2727. Proofpoint assessed TA2726 as likely acting as a traffic distribution service, while TA2727 was observed distributing FrigidStealer and using legitimate websites to deliver scam update alerts; TA2727 was also reported to distribute Windows and Android malware. Observed targeting included macOS devices outside the United States, and separate reporting stated impacts across North America, Europe, and Asia, with infections noted in public-facing industries, particularly retail and hospitality. The campaign creates risk to both personal and enterprise data exposure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“FrigidStealer malware targets macOS users via fake browser updates, stealing passwords, crypto wallets, and notes using DNS-based data theft methods.”
“FrigidStealer malware targets macOS users via fake browser updates, stealing passwords, crypto wallets, and notes using DNS-based data theft methods.”
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique“If a user clicks the infected update alert, a DMG file automatically downloads… The instructions guide the user through a process that bypasses macOS Gatekeeper… Once executed, a Mach-O executable installs FrigidStealer.”
Credential Access
1 technique“Once installed, the malware extracts browser cookies, stored passwords…”
Collection
1 technique“the attacker gains access to… files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created”
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
macOS information stealer delivered via fake browser update lures; attributed to TA2727.
macOS infostealer focused on browser credentials and session cookie theft, commonly distributed via fake software downloads.
macOS information stealer referenced as a TA2727 payload delivered via Keitaro TDS traffic flows discussed alongside SocGholish delivery chains.
macOS malware delivered via fake Safari/browser update prompts (DMG). It uses social engineering to bypass Gatekeeper by prompting for the user password, installs a malicious app, collects browser credentials, system files, cryptocurrency wallet data, and Apple Notes, and exfiltrates data via DNS queries (through macOS mDNSResponder). It then terminates and removes traces to reduce detection, and uses macOS-specific behaviors (e.g., launchservicesd registration, Apple Events) to blend in and persist.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.