Cybersecurity researchers have uncovered a new malware campaign deploying web injects to distribute a newly identified macOS information stealer named FrigidStealer. The threat actor behind this campaign, known as TA2727, has also been linked to other information stealers targeting Windows (Lumma Stealer, DeerStealer) and Android (Marcher) devices.
According to the Proofpoint Threat Research Team, TA2727 is known for utilizing fake update-themed lures to distribute various malware payloads. Their recent findings indicate that this group has been operational since at least September 2022, leveraging malicious JavaScript injects on compromised websites to target users across different platforms.
TA2727 and the Role of TA2726 in Malware Distribution
TA2727 is part of a larger ecosystem of financially motivated cybercriminals. It operates alongside TA2726, a traffic distribution system (TDS) operator that facilitates malware delivery for various threat actors. One of these actors, TA569, is responsible for propagating the SocGholish (FakeUpdates) JavaScript-based loader malware, which is often disguised as legitimate browser updates.
"TA2726 is financially driven and collaborates with other financially motivated actors, such as TA569 and TA2727," the report states. "It is likely responsible for website compromises leading to malware-laced web injects operated by other threat actors."
Fake Browser Updates: A Multi-Platform Attack Strategy
TA2727's malware distribution strategy is tailored to the victim's geography and device type:
Windows Users (France & UK): Fake update prompts lead to the download of an MSI installer, which executes Hijack Loader (DOILoader) to deploy Lumma Stealer.
Android Users: The same fake update redirects Android users to install the Marcher banking trojan, an Android malware active for over a decade.
macOS Users (Outside North America): Since January 2025, the campaign has evolved to target macOS users by redirecting them to a fake update page that downloads FrigidStealer.
How FrigidStealer Infects macOS Devices
Unlike traditional macOS malware, FrigidStealer requires users to manually launch the unsigned installer to bypass Apple’s Gatekeeper protections. Once executed, an embedded Mach-O binary is triggered to complete the malware installation.
Key Characteristics of FrigidStealer:
Written in Go and ad-hoc signed to evade security checks.
Utilizes the WailsIO framework, which renders content in the user’s browser to enhance the social engineering aspect.
Employs AppleScript to trick users into entering their system password, granting it elevated privileges.
Steals sensitive data from browsers, Apple Notes, and cryptocurrency applications.
Growing Threats to macOS Security
The rise of macOS-targeted malware highlights the evolving tactics of cybercriminals. Proofpoint warns that cyber actors are increasingly using web compromises to distribute malware to both enterprise and individual users.
"Given the growing adoption of macOS devices, it's reasonable to expect more tailored malware campaigns aimed at Mac users," the report states. "These web injects will continue evolving, delivering customized payloads based on the victim’s device and location."
Emerging macOS Malware Variants
The discovery of FrigidStealer comes amid reports of new macOS backdoors and information stealers, including:
Tiny FUD: A stealthy macOS backdoor leveraging DYLD injection and C2-based command execution.
Astral Stealer & Flesh Stealer: Advanced information stealers designed for data theft, persistence, and security evasion.
Flesh Stealer is particularly notable for detecting virtual machine (VM) environments, avoiding execution to prevent forensic analysis.
How to Stay Protected from Fake Update Malware
Never install browser updates from pop-up alerts—always update directly from official sources like Google Chrome, Safari, or Microsoft Edge.
Enable Gatekeeper and Notarization protections on macOS to prevent execution of unsigned applications.
Monitor system activity for suspicious processes, such as unexpected requests for system credentials.
Use endpoint security solutions that can detect and block malware in real-time.
Stay informed about emerging threats by following trusted cybersecurity sources.
Final Thoughts
The emergence of FrigidStealer and similar threats targeting macOS users underscores the need for heightened vigilance. As cybercriminals continue to adapt their tactics, users and enterprises must prioritize security best practices to mitigate the risk of falling victim to fake browser updates and other malware campaigns.