Cybersecurity researchers are alerting to a new campaign that leverages web injects to deliver a new Apple macOS malware known as FrigidStealer.
The activity has been attributed to a previously undocumented threat actor known as TA2727, with the information stealers for other platforms such as Windows (Lumma Stealer or DeerStealer) and Android (Marcher).
TA2727 is a “threat actor that uses fake update themed lures to distribute a variety of malware payloads,” the Proofpoint Threat Research Team said in a report shared with The Hacker News.
It’s one of the newly identified threat activity clusters alongside TA2726, which is assessed to be a malicious traffic distribution system (TDS) operator that facilitates traffic distribution for other threat actors to deliver malware. The financially motivated threat actor is believed to be active since at least September 2022.
TA2726, per the enterprise security firm, acts as a TDS for TA2727 and another threat actor called TA569, which is responsible for the distribution of a JavaScript-based loader malware referred to as SocGholish (aka FakeUpdates) that often masquerades as a browser update on legitimate-but-compromised sites.
“TA2726 is financially motivated and works with other financially motivated actors such as TA569 and TA2727,” the company noted. “That is, this actor is most likely responsible for the web server or website compromises that lead to injects operated by other threat actors.”
Both TA569 and TA2727 share some similarities in that they are distributed via websites compromised with malicious JavaScript website injects that mimic browser updates for web browsers like Google Chrome or Microsoft Edge. Where TA2727 differs is the use of attack chains that serve different payloads based on recipients’ geography or device.
Should a user visit an infected website in France or the U.K. on a Windows computer, they are prompted to download an MSI installer file that launches Hijack Loader (aka DOILoader), which, in turn, loads Lumma Stealer.
On the other hand, the same fake update redirect when visited from an Android device leads to the deployment of a banking trojan dubbed Marcher that has been detected in the wild for over a decade.
That’s not all. As of January 2025, the campaign has been updated to target macOS users residing outside of North America to a fake update page that downloaded a new information stealer codenamed FrigidStealer.
The FrigidStealer installer, like other macOS malware, requires users to explicitly launch the unsigned app to bypass Gatekeeper protections, following which an embedded Mach-O executable is run to install the malware.
“The executable was written in Go, and was ad-hoc signed,” Proofpoint said. “The executable was built with the WailsIO project, which renders content in the user’s browser. This adds to the social engineering of the victim, implying that the Chrome or Safari installer was legitimate.”
FrigidStealer is no different from various stealer families aimed at macOS systems. It leverages AppleScript to prompt the user to enter their system password, thereby giving it elevated privileges to harvest files and all kinds of sensitive information from web browsers, Apple Notes, and cryptocurrency related apps.
“Actors are using web compromises to deliver malware targeting both enterprise and consumer users,” the company said. “It is reasonable that such web injects will deliver malware customized to the recipient, including Mac users, which are still less common in enterprise environments than Windows.”
The development comes as Denwp Research’s Tonmoy Jitu disclosed details of another fully undetectable macOS backdoor named Tiny FUD that leverages name manipulation, dynamic link daemon (DYLD) injection, and command-and-control (C2) based command execution.
It also follows the emergence of new information stealer malware like Astral Stealer and Flesh Stealer, both of which are designed to collect sensitive information, evade detection, and maintain persistence on compromised systems.
“Flesh Stealer is particularly effective in detecting virtual machine (VM) environments,” Flashpoint said in a recent report. “It will avoid executing on VMs to prevent any potential forensics analysis, showcasing an understanding of security research practices.”
