A newly discovered malware campaign is using fake browser update prompts to distribute FrigidStealer, an infostealer designed to target macOS users. The attack is part of a broader cybercriminal operation that also delivers malware to Windows and Android users. Cybersecurity researchers at Proofpoint have identified two threat groups—TA2726 and TA2727—working together to spread this malware through compromised websites.
How the Attack Works
The attackers inject malicious JavaScript into breached websites, which then display fake update alerts that mimic Google Chrome or Safari notifications. These pop-ups instruct users to download and install a required browser update, but instead of a legitimate update, the user unknowingly installs malware.
Multi-Platform Targeting
- macOS: Users receive a DMG file that installs FrigidStealer.
- Windows: Victims download an MSI installer that loads Lumma Stealer or DeerStealer.
- Android: Users are tricked into downloading an APK file that installs the Marcher banking trojan.
Unlike traditional drive-by downloads, this attack requires user interaction. On macOS, the victim must right-click the downloaded file and select “Open”, followed by entering their password to bypass macOS Gatekeeper protections.
What FrigidStealer Does
FrigidStealer is built using the Go-based WailsIO framework, which enables the installer to closely mimic the look and feel of a legitimate browser update. Once installed, the malware operates covertly in the background. It is designed to extract sensitive information from the affected Mac, including saved cookies, login credentials, and various password files stored in browsers like Safari and Chrome. The malware also scans local directories for crypto wallet credentials and retrieves content from Apple Notes that may contain passwords, financial data, or other personal information. Additionally, FrigidStealer collects documents, spreadsheets, and text files from the user’s home directory.
The stolen data is compressed into a hidden folder and transmitted to a command and control (C2) server at askforupdate[.]org.
Why This Attack Is Significant
Fake update campaigns are a growing trend in cybercrime. The use of JavaScript-based injects allows attackers to dynamically profile victims and tailor payloads based on operating system, browser type, and device location. While Windows and Android users have long been targeted by similar attacks, the emergence of advanced macOS-specific malware like FrigidStealer represents a concerning shift.
What SOC Teams Need to Know
Security Operations Centers (SOCs) must take proactive steps to detect and mitigate threats like FrigidStealer before they lead to data breaches. Here’s what security teams should focus on:
Detection and Threat Intelligence
- Monitor web traffic logs for connections to suspicious domains like askforupdate[.]org.
- Analyze downloaded DMG files for unexpected permissions requests or credential access.
- Track unusual browser update prompts appearing on legitimate corporate websites.
Endpoint Protection
- Ensure macOS security settings are configured to block unverified apps from executing.
- Deploy endpoint detection and response (EDR) solutions to identify anomalies in application behavior.
- Implement strong user access controls to prevent unauthorized software installations.
User Awareness & Training
- Educate employees on the dangers of fake update prompts.
- Reinforce policies that restrict downloading software from untrusted sources.
- Encourage users to manually check for browser updates via official vendor websites.
How to Stay Protected
To avoid falling victim to infostealers like FrigidStealer:
- Never click on update prompts from websites. Always update browsers directly from their official settings menu.
- Use trusted security software that can detect and block malicious downloads.
- Regularly review account security and change passwords if suspicious activity is detected.
Final Thoughts
With multiple cybercrime groups leveraging fake browser updates as an infection vector, organizations must stay vigilant and implement layered security measures to mitigate these risks. By combining user awareness, strong endpoint security, and proactive threat monitoring, security teams can better defend against these evolving threats.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
