icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

New FrigidStealer Malware Targets macOS Users via Fake Browser Updates

Summary:
Recently, Proofpoint identified two new actors, TA2726 and TA2727, involved in web-based malware distribution. TA2726 functions as a TDS operator, selling traffic to other threat actors, including TA569 and TA2727. Since at least September 2022, TA2726 has redirected users based on geography, with North American users being served TA569’s SocGholish injects, while others received malware such as Lumma Stealer for Windows, DeerStealer for Windows, FrigidStealer for Mac, and Marcher for Android. Unlike traditional phishing campaigns, TA2726 does not conduct email-based attacks; instead, legitimate but compromised websites unknowingly distribute its malicious content.

TA2727, a financially motivated threat actor, specializes in malware distribution through fake update lures. First identified by Proofpoint in January 2025, TA2727 has been observed using compromised websites to distribute different payloads based on user location and platform. Windows users in Europe were served DOILoader via a trojanized MSI file, while Android users were targeted with the Marcher banking trojan. Notably, Mac users were infected with FrigidStealer, a newly identified information stealer. Disguised as a browser update, FrigidStealer prompts users to enter their Mac password, then exfiltrates browser cookies, credentials, and cryptocurrency-related files to a command-and-control server.

Security Officer Comments:
Malicious web inject campaigns have become increasingly complex, with multiple threat actors leveraging this method to distribute malware. These attacks typically follow a three-stage process: malicious JavaScript injects are embedded into compromised websites, a Traffic Distribution System determines which users receive specific payloads, and the final malware is downloaded onto the victim’s device. Historically, TA569 was the primary actor using SocGholish injects to deploy fake browser update lures, often leading to ransomware infections. However, since 2023, multiple copycat actors have adopted similar techniques, making it challenging to attribute attacks to specific groups.


Suggested Corrections:

The best mitigation is defense in depth. The following is recommended:

  • Have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection.
  • Train users to identify the activity and report suspicious activity to their security teams. While the training is specific in nature, it can easily be integrated into an existing user training program.
  • A tool such as Proofpoint’s Browser Isolation can help prevent successful exploitation when compromised URLs are received via email and clicked on.
  • Restrict Windows users from downloading script files and opening them in anything but a text file. This can be configured via Group Policy settings.


Link(s):
https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware

Contact Us for Threat Assistance
Back to Current Threats