Fake Browser Updates Now Spread New FrigidStealer Malware to Mac, Windows, and Android
Cybercriminals are once again using fake browser update scams to distribute malware, now targeting users across macOS, Windows, and Android. Researchers at Proofpoint have uncovered two cybercriminal groups, TA2726 and TA2727, responsible for these campaigns, which deliver various malware strains, including:
- FrigidStealer – A newly discovered macOS information stealer.
- Lumma Stealer – A credential and data theft tool for Windows.
- Marcher – A banking trojan designed to steal login credentials from Android users.
The attacks begin when users visit a compromised website and are tricked into downloading a fake browser update, which instead installs malware.
How the Attack Works
The campaign relies on web injects, where attackers insert malicious scripts into legitimate websites. When a user visits an infected site, they see a fake browser update prompt, urging them to download an update for Chrome or Safari.
- Instead of a real update, users unknowingly install malware that can steal credentials, financial data, and other sensitive information.
TA2726 and TA2727: The Attackers Behind the Scam
TA2726 – The Traffic Seller
- Acts as a redirection service for other malicious actors.
- Works alongside TA569, a known group previously involved in similar scams.
TA2727 – The Malware Distributor
- Directly delivers malware using fake browser updates.
- Tailors attacks based on the victim’s location and operating system.
For example, Proofpoint observed:
- United States & Canada – Victims were redirected to the SocGholish malware.
- Europe (Windows users) – Fake updates delivered Lumma Stealer.
- Europe (Android users) – Fake updates installed the Marcher banking trojan.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
FrigidStealer: New macOS Malware
The FrigidStealer malware is specifically designed to target Mac users.
- The attack begins with a fake update message for Chrome or Safari.
- If executed, the file installs FrigidStealer, which silently:
- Steals browser cookies and saved credentials.
- Extracts cryptocurrency-related files.
- Reads Apple Notes, similar to the XCSSET malware.
How FrigidStealer Bypasses macOS Security
- Written in Golang and uses WailsIO to create realistic fake update windows.
- Bypasses macOS Gatekeeper by requiring users to manually right-click → Open, a trick used by Mac malware authors.
Fake Safari and Chrome browser update websites delivering FrigidStealer (Via: Proofpoint)
Windows and Android Also Under Attack
The same fake update technique is used to infect Windows and Android users.
- Windows Users – Receive an MSI installer that deploys a trojanized DLL, executing Lumma Stealer or DeerStealer to steal credentials and financial data.
- Android Users – Clicking the fake update downloads Marcher, a banking trojan that has been active since 2013 and is designed to steal login credentials from banking apps.
Trending: Recon Tool: getJS
How to Stay Safe
- Never download browser updates from pop-ups – Only update from official sources.
- Avoid clicking suspicious links or attachments – Even if they appear legitimate.
- Check file legitimacy – Use tools like VirusTotal or ANY.RUN before opening unknown files.
- Enable security settings – Ensure macOS Gatekeeper, Windows Defender, or a reputable antivirus is active.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: hackread.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
