Hackers Inject FrigidStealer Malware on Your macOS Via Fake Browser Updates

A surge in malicious web inject campaigns has introduced FrigidStealer, a new macOS-specific information stealer, deployed via fake browser update prompts.

Cybersecurity firm Proofpoint identified two previously unknown threat actors, TA2726 and TA2727, collaborating to distribute this malware globally, marking a significant escalation in cross-platform cybercrime operations.

The campaign leverages compromised legitimate websites to redirect users based on geographic location and device type.

TA2726, operating as a traffic distribution service (TDS), directs victims to payloads managed by TA2727, which specializes in malware delivery.

This division of labor allows TA2726 to handle website compromises and traffic filtering, while TA2727 deploys tailored payloads, including FrigidStealer for macOS, Lumma Stealer for Windows, and Marcher banking trojan for Android.

Proofpoint’s analysis reveals TA2726 has been active since at least September 2022, using infrastructure like the Keitaro TDS to redirect users.

Meanwhile, TA2727 emerged in early 2025, exploiting fake update lures to bypass security protocols across operating systems.

macOS Attack Chain

MacOS users outside North America are primary targets. When victims visit compromised websites, TA2726’s TDS serves a fraudulent browser update prompt (e.g., “Update Chrome” or “Update Safari”). Clicking the “Update” button downloads a DMG file disguised as a legitimate installer.

Bypassing Gatekeeper Protections

The malware employs social engineering to circumvent macOS security. Users are instructed to right-click the downloaded DMG and select “Open,” sidestepping Gatekeeper warnings about untrusted applications. This technique exploits user trust in familiar workflows.

Once executed, the Mach-O binary written in Go and ad-hoc signed—uses AppleScript to prompt for administrative credentials. With elevated access, FrigidStealer harvests:

• Browser cookies and stored passwords
• Cryptocurrency wallet files from Desktop/Documents folders
• Apple Notes content
• System metadata (e.g., installed applications)

Stolen data is exfiltrated to the command-and-control server askforupdate[.]org.

TA2727’s campaigns demonstrate surgical precision:

• Windows: Users in France and the UK receive fake Edge/Chrome updates delivering Lumma Stealer via trojanized DLLs.
• Android: The decades-old Marcher banking trojan resurfaces, targeting financial credentials.
• macOS: FrigidStealer’s WailsIO framework mimics authentic browser installers, enhancing credibility.

Proofpoint notes TA2726 routes North American traffic to TA569’s SocGholish campaigns, historically linked to ransomware precursors like Cobalt Strike. This suggests collaboration between established and emerging threat actors.

Web Inject Attribution

The proliferation of fake update campaigns has complicated threat tracking. Multiple actors often compromise the same website, deploying overlapping injects. TA569’s legacy SocGholish campaigns, for instance, now share infrastructure with TA2726 and TA2727, blurring historical attribution boundaries.

“The web inject landscape is becoming a crowded space,” explains Proofpoint’s report. “Copycat actors adopting similar TTPs [tactics, techniques, procedures] force defenders to prioritize behavioral analytics over traditional IOC [indicator of compromise] tracking”.

Mitigation Strategies for Enterprises and Users

Proofpoint recommends a layered defense approach:

1. Network Monitoring: Deploy signatures for emerging threats (e.g., askforupdate[.]org domain blocks).
2. Endpoint Protection: Use tools capable of detecting unsigned macOS executables and anomalous AppleScript activity.
3. User Training: Educate teams on recognizing fake update lures, emphasizing macOS-specific social engineering.
4. Browser Isolation: Solutions like Proofpoint’s proprietary tool prevent drive-by downloads from compromised sites.

For macOS users, experts advise:

• Avoiding “right-click Open” workarounds for untrusted apps.
• Regularly auditing installed applications and browser extensions.
• Enabling full disk encryption to mitigate data exfiltration risks.

The FrigidStealer campaign underscores cybercriminals’ increasing sophistication in exploiting multi-OS environments.

As enterprises bolster Windows defenses, attackers pivot to less-monitored platforms like macOS, leveraging trusted brands and workflows to evade detection.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here