📍 San Francisco, CA – February 21, 2025 (NS News) – A new malware campaign known as FrigidStealer is actively targeting macOS users, tricking them into installing fake browser updates from compromised websites. Security researchers have linked the stealer malware to the cybercriminal group TA2727, which has previously deployed similar attacks on Windows and Android platforms.
Unlike traditional phishing scams, FrigidStealer infections originate from legitimate websites injected with malicious JavaScript, making the fake update alerts appear highly convincing.
How FrigidStealer Infects macOS Devices
FrigidStealer operates using web injects, a technique that modifies legitimate websites by inserting malicious code. Here’s how the infection works:
1️⃣ Fake Browser Update Prompt – Users visiting an infected site see a pop-up urging them to update Safari or Chrome.
2️⃣ Malicious DMG Download – Instead of a real update, the download contains the FrigidStealer malware.
3️⃣ User Execution Required – The victim manually installs the fake update, unknowingly triggering the malware.
4️⃣ Bypassing Gatekeeper – The malware tricks users into overriding macOS security by using social engineering tactics.
5️⃣ Privilege Escalation – It prompts users for their admin password, allowing the malware elevated access.
6️⃣ Data Exfiltration – Once installed, FrigidStealer harvests sensitive information and transmits it to the attacker’s command-and-control (C2) server.
What FrigidStealer Steals
Once inside the system, FrigidStealer scans for personal data, including:
🔹 Saved Browser Credentials – Extracts stored passwords from Safari, Chrome, and Firefox.
🔹 Session Cookies – Can hijack logged-in accounts.
🔹 Cryptocurrency Wallets – Targets stored crypto keys and wallets.
🔹 Apple Notes – Reads stored notes, which may contain sensitive text or passwords.
Security firm Proofpoint analyzed the malware and found that it was written in Go, utilizing the WailsIO framework to create realistic-looking update prompts inside the browser.
Who is Behind FrigidStealer?
Cybercriminal group TA2727, linked to several malware distribution campaigns, is believed to be responsible for FrigidStealer. They operate alongside TA2726, a Traffic Distribution System (TDS) operator that redirects users to malicious downloads.
In previous attacks, TA2727 has deployed:
✔ Lumma Stealer – A Windows-based credential stealer.
✔ Marcher – An Android banking trojan.
✔ Hijack Loader – A Windows malware loader for delivering additional payloads.
Now, FrigidStealer expands their attack operations to macOS, signaling a growing interest in Apple’s ecosystem.
Why macOS is Becoming a Target
Historically, macOS was considered more secure than Windows due to lower market share and built-in security protections. However, with the rise of MacBooks in corporate environments, attackers are evolving their methods.
A Proofpoint cybersecurity report states:
“Threat actors are increasingly using compromised websites to deliver malware customized for macOS users, particularly in enterprise settings.”
This trend contradicts the belief that macOS is immune to stealer malware, emphasizing the need for heightened security awareness.
How to Protect Your Mac from FrigidStealer
To stay safe from FrigidStealer and similar threats, follow these cybersecurity best practices:
✔ Avoid Pop-Up Updates – Never install browser updates from random pop-ups or alerts. Always update software via:
- Safari → System Settings > Software Update
- Chrome → Help > About Google Chrome
✔ Download Software Only from Official Sources – Stick to the Mac App Store or official vendor websites.
✔ Use Security Software – Install reputable antivirus & anti-malware tools like Malwarebytes, Intego, or Sophos.
✔ Keep macOS Updated – Enable automatic updates to receive the latest security patches.
✔ Enable Gatekeeper & XProtect – Do not disable macOS security protections for unknown apps.
✔ Check for Unsigned Apps – If an app requires you to override security warnings, it’s a red flag.
Final Thoughts
FrigidStealer is a serious threat to macOS users, proving that cybercriminals are increasingly targeting Apple devices. The malware’s ability to masquerade as a browser update makes it particularly deceptive.
🚨 If you suspect an infection, immediately:
- Run a full system security scan.
- Change your passwords for sensitive accounts.
- Monitor bank and cryptocurrency accounts for unauthorized access.
📢 Stay informed with NS News for the latest cybersecurity updates! 🚀
