SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Cybersecurity
#
Windows

New cyber threats target MacOS with FrigidStealer malware

Today
Author image
By Melania Watson, Interview Editor

Proofpoint has identified two new cybercriminal threat actors, TA2726 and TA2727, involved in web inject campaigns, while also uncovering new malware targeting MacOS users.

The landscape of malicious website injects is marked by multiple threat actors using malware delivery methods that often involve three components: malicious JavaScript scripts served to website visitors, a traffic distribution service determining the delivery payload, and the ultimate payload downloaded by the script.

Despite a history of notable web inject campaigns from the actor TA569, new actors have emerged, complicating the tracking process for analysts.

Beginning in 2023, Proofpoint observed multiple threat actors employing similar web inject and traffic redirection techniques. The appearance of these copycat actors using similar methods has compounded the difficulties in distinguishing between them. Proofpoint aims to clarify the actors involved by publishing this report.

TA2726 and TA2727 have been identified as new traffic sellers and malware distributors, specifically operating within web-based attack chains that feature compromised website campaigns.

These campaigns are distinct from email-based threats, which are associated with legitimate but compromised websites.

TA2727 has been connected to the delivery of a new information stealer, named FrigidStealer, targeting Mac computers, along with existing malware for Windows and Android systems.

Proofpoint is also reassessing past activities attributed to TA569 and confirms with high confidence that TA2726 functions as a traffic distribution service for TA569 and TA2727.

TA2726 is known to operate a TDS that facilitates malware distribution for various actors and is possibly advertising traffic sales on cybercrime forums, although this is not confirmed with high confidence. Active since at least September 2022, TA2726 does not conduct email campaigns, and any email activity is collateral damage from website sharing.

This actor mainly targets North America, redirecting traffic to TA569 while directing other regions to TA2727 to deliver various malware including Lumma Stealer, DeerStealer, FrigidStealer, or Marcher.

The infrastructure used by TA2726, such as the use of Keitaro and specific domain and IP address patterns, distinctly identifies its activities.

Retrospective analysis suggests that the TDS activity previously reported under SocGholish can be traced back to TA2726.

TA2727, a financially motivated group, collaborates with other profit-driven actors and is believed to purchase traffic on online forums for malware dissemination.

This actor was first designated in January 2025 during a campaign initially thought to be linked to TA569.

The URLs in emails during this campaign directed users to compromised websites injected with malicious JavaScript. Location-based redirection techniques were used to serve specific payloads. In North America, users encountered SocGholish injects, and in France and the UK, a unique fake update payload chain was identified.

The EU campaign targeted Windows devices using Microsoft Edge or Google Chrome by redirecting them to fake update sites, resulting in the installation of the Lumma Stealer via a trojanized IFILOader.

A distinct branch of this campaign attacked Android devices with the Marcher trojan, a known threat since 2013.

Further analysis towards the end of January 2025 highlighted MacOS users being targeted by the new malware, FrigidStealer.

Upon visiting compromised sites, users were redirected to fake update pages that installed the malware if interacted with. Proofpoint researchers have provided technical details highlighting how the attack bypasses MacOS security features to install FrigidStealer.

The dynamic and evolving nature of web inject threats requires vigilance from security teams.

Best practices include network detection rules, user training, and the use of browser isolation tools.

Organisations are encouraged to implement comprehensive defensive measures and user training programmes to mitigate these threats effectively.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Apple's removal of UK iCloud feature raises privacy fears
Opportunities rise for UK firms in Northeast Asia's cyber market
OpenText unveils new AI tool to counter insider threats
FBI & CISA warn of Ghost ransomware threats worldwide
Sophos & Pax8 partner to enhance MSP cybersecurity access
Top stories
Exclusive: David Nuti reveals how Extreme Networks is driving AI-powered security innovation
Genetec unveils Cloudlink 210 for seamless security upgrade
Proofpoint leads in 2025 Gartner email security rankings
Emerging multimedia Bitcoin scams use deceptive MMS videos
Open-source AI Foundation launched to boost transparency