Campbell, California May 15, 2025 Wazuh, a leader in open source cybersecurity, has released detection capabilities for a recently identified malware strain known as FrigidStealer, a new variant of the MacOS “Ferret” family of malware. FrigidStealer employs deceptive browser update prompts to deceive MacOS users into manually installing a malicious application that bypasses its built-in protections. This malware variant, first discovered in February 2025, is designed to harvest sensitive information from users, including browser cookies and credentials, cryptocurrency wallets, Apple Notes, and other personal files.
Once installed, FrigidStealer disguises itself as a foreground application under the ID com.wails.ddaolimaki-daunito to evade Gatekeeper, then initiates a data theft sequence targeting browser credentials and system information. The malware communicates with a remote command-and-control (C2) server using DNS queries masked through Apple’s mDNSResponder, then self-terminates to cover its tracks.
FrigidStealer has been linked to a wave of global infections affecting users across North America, Europe, and Asia. Its emergence has disrupted industries such as retail and hospitality, where attackers have exploited public-facing platforms to maximize exposure. Security researchers have also observed multiple threat groups adopting the malware, underscoring its growing popularity in the cybercriminal ecosystem and its potential for widespread impact.
The Wazuh team has now developed a comprehensive configuration strategy that enables users of its open-source platform to detect and track FrigidStealer on macOS endpoints.
Key Points from Wazuh’s Detection Strategy Include:
- Behavioral Detection at the Endpoint: Wazuh now detects key behaviors associated with FrigidStealer, including launchd persistence (launchd is the init and service management daemon in macOS), unauthorized use of Apple Events for inter-process communication, and DNS-based exfiltration patterns.
- Custom Decoders and Rules: Tailored detection rules monitor for specific executable paths, bundle identifiers, and suspicious activity logged by macOS’s Unified Logging System (ULS).
This update reinforces Wazuh’s commitment to proactive defense and community-driven threat response. Full detection and mitigation steps are available now for security teams protecting macOS environments. More details are available here: https://wazuh.com/blog/detecting-frigidstealer-malware-with-wazuh/
