- Cisco CIO Fletcher Previn talks culture: 'They can steal your technology, but not your philosophy'
- Fake Toll Road Scam Texts are Everywhere. These Cities are The Most Targeted. | McAfee Blog
- Everything Amazon announced at its Alexa event today: Alexa+, Echo Show UI, and more
- This compact smart heater can easily warm up your living room without breaking the bank
- 日本ラグビー協会、メディア戦略にクラウドをどう活かす?
Proofpoint Uncovers FrigidStealer, A New MacOS Infostealer
The days when Apple devices were thought to be immune to malware are over, as new malicious campaigns are now targeting macOS.
In a new February 18 report, Proofpoint uncovered a brand-new infostealer targeting macOS, FrigidStealer.
This malware is deployed in campaigns involving TA569, a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as FakeUpdates/SocGholish.
Proofpoint also revealed two new groups linked to TA569, TA2726 and TA2727.
Evolution of TA569
TA569, also known as Mustard Tempest Gold Prelude and Purple Vallhund, is associated with the cybercrime syndicate EvilCorp and was first identified in 2022.
The group primarily uses malvertising as its main technique to gain access to and profile networks.
Typically, it deploys FakeUpdates/SocGholish, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads – a method known as a web inject campaign.
Proofpoint said that TA569 became almost synonymous with “fake updates” within the security community.
“But beginning in 2023, multiple copycats emerged using the same web inject and traffic redirection techniques to deliver malware,” the Proofpoint researchers noted.
Additionally, while TA569 was known for managing the whole attack chain, threat actors now increasingly collaborate, with each group taking charge of one part.
Emergence of Two New Collaborating Threat Actors
Two of these groups deploying similar web inject campaigns are TA2726 and TA2727, which Proofpoint assessed to be new threat actors.
Notably, TA2727 was recently observed delivering a new information stealer for Mac computers alongside malware for Windows and Android hosts. Proofpoint researchers dubbed this macOS malware FrigidStealer.
Proofpoint assessed with high confidence that TA2726 acts as a traffic distribution service (TDS) provider for TA569 and TA2727, with some campaigns previously attributed to TA569 now reattributed to TA2726 and TA2727.
The firm also assessed with moderate confidence that TA2727 purchases traffic on online forums to disseminate malware, which may be its own or that of its potential clients.
Inside the FrigidStealer Distribution Campaign
So far in 2025, Proofpoint has observed the use of TA2726 TDS to redirect traffic to TA569 (in North America) while redirecting most other countries to TA2727, delivering Lumma Stealer and DeerStealer on Windows platforms, FrigidStealer on Mac devices and Marcher on Android.
The FrigidStealer campaign was detected in January 2025. It targeted Mac users outside of North America.
When a target visited the compromised website from a web browser, they were redirected to a fake update page that, if the Update button was clicked, downloaded and installed FrigidStealer. Proofpoint researchers named this malware FrigidStealer.
The images illustrating this article were generated using Shutterstock AI Image Generator.
