Web Injection
Frigidstealer
Protect your devices from the growing FakeUpdate malware campaign. Learn about F...
A new wave of cybercrime campaigns is making waves, with two malicious groups—TA2726 and TA2727—distributing a potent macOS infostealer, **FrigidStealer**, through FakeUpdate schemes. These campaigns, first identified by Proofpoint researchers, also use Windows and Android payloads, significantly expanding their target range.
### **Role of FakeUpdate Campaigns in Cybercrime**
FakeUpdate campaigns are a key method for cybercriminals to distribute malware across devices. Malicious JavaScript is injected into compromised websites, prompting users with fake browser update notifications. The notification, which appears to be from legitimate services like Google or Safari, misleads users into downloading harmful files when they click "Update."
This **malware distribution technique** uses a Traffic Distribution System (TDS) to filter victims based on factors such as location, device type, and OS, making detection increasingly difficult for both users and security professionals.
### **Dual Role of TA2726 and TA2727**
Two distinct cybercriminal groups are behind the latest surge in FakeUpdate attacks. **TA2726** acts as a traffic distributor, redirecting victims to malicious websites. Active since at least September 2022, TA2726 frequently utilizes the Keitaro TDS to manage its traffic and collaborate with other threat actors.
In contrast, **TA2727**, a financially motivated group identified in early 2025, is responsible for distributing the actual malware. Their payloads include **Lumma Stealer** for Windows, **Marcher** for Android, and **FrigidStealer** for macOS. The group's swift adaptation of malicious tools highlights the growing sophistication of these campaigns.
### **FrigidStealer: A New macOS Threat**
The newly discovered **FrigidStealer** malware targets macOS users, marking a significant evolution in the FakeUpdate landscape. Built on the **WailsIO framework** using the Go programming language, FrigidStealer is designed to blend seamlessly into the system. Once activated, it extracts sensitive data, including saved passwords and cookies from browsers like Safari and Chrome.
### **What Makes FrigidStealer Dangerous?**
FrigidStealer doesn't stop at browser credentials. It also searches for **crypto wallet** information stored on the Mac's Desktop and Documents folders, collects sensitive **Apple Notes**, and scans the user's home directory for documents, spreadsheets, and other personal files. This exfiltrated data is compressed and transferred to the attacker's **command-and-control server** at "askforupdate[.]org."
The malware's ability to steal both personal and financial information makes it a severe threat to both individual users and businesses alike, contributing to a rising number of data breaches and identity theft cases.
### **Multi-Platform Reach: Windows and Android Users at Risk**
Though the primary focus of the current campaign is macOS, the use of **Lumma Stealer** and **Marcher** in Windows and Android environments broadens the attack's scope. **Windows users** are tricked into downloading an MSI installer that deploys Lumma Stealer or **DeerStealer**, while **Android devices** receive an APK that installs the **Marcher banking trojan**, a malware designed to steal sensitive financial data.
### **How to Avoid FakeUpdate Malware Infections**
To protect against these attacks, users should **never download files** or execute commands prompted by pop-ups or suspicious websites, especially those claiming to be browser updates, captchas, or fixes for common issues. In particular, avoid downloading any files from compromised sites that pretend to offer software updates.
For those already infected with infostealers like FrigidStealer, it’s crucial to **change passwords** for all online accounts, particularly if the same password is used across multiple sites. **Two-factor authentication (2FA)** should be enabled wherever possible to add an additional layer of security.
