Cybersecurity researchers at Proofpoint have uncovered a sophisticated new information-stealing malware dubbed FrigidStealer, specifically targeting macOS users. This advanced threat actor leverages compromised websites and fake browser update notifications to harvest sensitive user data, marking a significant evolution in macOS-targeted cyber attacks.
Threat Actor Groups and Distribution Infrastructure
Two distinct threat groups, identified as TA2726 and TA2727, are orchestrating the FrigidStealer campaign. TA2726, active since September 2022, employs the Keitaro Traffic Distribution System (TDS) to manage malicious traffic flow. The newer group, TA2727, discovered in January 2025, operates a diverse malware arsenal including the Lumma Stealer for Windows and Marcher banking trojan for Android, demonstrating their multi-platform attack capabilities.
Social Engineering Tactics and Delivery Mechanism
The malware deployment relies on a sophisticated FakeUpdate technique, where compromised websites inject malicious JavaScript code to display convincing browser update notifications. The TDS-based profiling system analyzes visitor characteristics, including location, device type, and browser version, to deliver targeted payloads with maximum efficiency.
Technical Analysis of FrigidStealer
Built using Go programming language and the WailsIO framework, FrigidStealer exhibits advanced capabilities in bypassing macOS security features, including Gatekeeper. Once installed, the malware initiates a comprehensive data collection routine targeting:
- Browser credentials and cookies from Safari and Chrome
- Cryptocurrency wallet information
- Sensitive content stored in Apple Notes
- Documents and text files from user directories
Data Exfiltration Methodology
The malware employs a sophisticated data exfiltration process, storing stolen information in a hidden directory before compressing and transmitting it to the command-and-control server at askforupdate[.]org. The ability to circumvent macOS security mechanisms makes FrigidStealer particularly dangerous, especially for users who may not scrutinize update prompts carefully.
To protect against FrigidStealer and similar threats, security experts recommend implementing comprehensive cybersecurity measures, including verifying browser updates through official channels, maintaining updated security software, and regularly backing up critical data. Organizations should also educate users about the risks of fake update prompts and establish clear protocols for software update procedures. The emergence of FrigidStealer underscores the growing sophistication of macOS-targeted malware and the critical importance of maintaining robust security practices in an evolving threat landscape.