Researchers have raised alarms about a new cyber campaign involving web injects that delivers macOS malware known as FrigidStealer. This campaign is attributed to a previously unidentified threat actor, TA2727, which has also been linked to other information stealers targeting platforms such as Windows (Lumma Stealer) and Android (Marcher). TA2727 has been active since at least September 2022 and uses fake browser update alerts to lure victims into downloading malicious payloads. These payloads are then distributed through compromised websites, often using malicious JavaScript.
TA2727’s attacks are financially motivated and operate using attack chains that deliver different payloads depending on the victim’s device or location. For example, a user in France or the UK visiting a compromised site from a Windows computer would be prompted to download an MSI installer that runs Lumma Stealer via Hijack Loader. Meanwhile, the same fake update redirected from an Android device would deploy the Marcher banking trojan. In January 2025, the campaign expanded its focus to target macOS users, specifically outside North America, using a fake update page to distribute the new FrigidStealer malware.
FrigidStealer is delivered through an installer that exploits macOS’s security features by requiring the user to manually bypass Gatekeeper protections before running an embedded Mach-O executable. The executable, written in Go and ad-hoc signed, is designed to deceive victims by appearing as a legitimate update for Chrome or Safari.
Once executed, the malware gains elevated privileges through AppleScript and harvests sensitive information, including passwords, web browser data, and cryptocurrency-related files.
The increasing use of web compromises to target both consumer and enterprise users reflects the evolving tactics of financially driven threat actors. FrigidStealer, alongside other emerging information stealers like Astral Stealer and Flesh Stealer, demonstrates the growing sophistication of malware targeting macOS systems. As attackers continue to adapt and deliver tailored payloads based on victim profiles, the need for robust security measures to protect against these targeted web-based threats becomes even more urgent.
