New FrigidStealer infostealer infects Macs via fake browser updates

The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.

The new malware is delivered to Mac users, but the same campaign also uses Windows and Android payloads to cover a broad range of targets.

The new campaign was discovered by researchers at Proofpoint, who note that malicious JavaScript to display fake browser update messages is being adopted by a rising number of threat actors, making tracking and analysis increasingly tricky.

In this campaign, TA2726 and TA2727 work together, with the former acting as the traffic distributor and facilitator and the latter as the malware distributor.

TA2726 has been active since at least September 2022, selling traffic to other cybercriminals. It often leverages Keitaro TDS, a widely abused legitimate traffic distribution service.

TA2727 is a financially motivated threat group first identified in January 2025, deploying Lumma Stealer for Windows, Marcher for Android, and FrigidStealer for macOS.

New Fake Update campaign

FakeUpdate campaigns are when threat actors breach websites and inject malicious JavaScript into the HTML of web pages that display fake notifications that the user needs to install a browser update.

These web injects profile website visitors through a TDS (Traffic Distribution System) and qualifies victims for infection based on their location, device and OS, and browser type.

From the user's perspective, the alert appears to come from Google or Safari, stating that a browser update needs to be installed to view the site. However, clicking the "Update" button causes a malicious executable disguised as an update to be downloaded.

Windows users get an MSI installer that loads Lumma Stealer or DeerStealer, Mac users receive a DMG file that installs the new FrigidStealer malware, and Android users receive an APK file that contains the Marcher banking trojan.

Mac users must manually launch the download by right-clicking on the file and then selecting Open, where they will be asked to enter their password to get past macOS Gatekeeper protections.

FrigidStealer targeting macOS

FrigidStealer is a Go-based malware built with the WailsIO framework to make the installer appear legitimate so no suspicion is raised during infection.

The malware extracts saved cookies, login credentials, and password-related files stored in Safari or Chrome on macOS.

Moreover, it scans for crypto wallet credentials stored in the MacOS Desktop and Documents folders, reads and extracts Apple Notes containing passwords, financial information, or other sensitive details, and collects documents, spreadsheets, and text files from the user's home directory.

The stolen data is bundled into a hidden folder in the user's home directory, compressed, and eventually exfiltrated to the malware's command and control (C2) address at 'askforupdate[.]org.'

Infostealer campaigns have become a massive global operation over the past few years, leading to devastating attacks on both home users and organizations.

These attacks commonly lead to financial fraud, privacy risks, data breaches, extortion demands, and full-blown ransomware attacks.

To stay clear from infostealer infections, do not ever execute any commands or downloads prompted by websites, especially those pretending to be fixes, updates, or captchas.

For those who become infected with infostealers, you must change the passwords at every site you have an account, especially if you use the same password at multiple sites.