Introduction
Apple devices [3] [6], once considered largely immune to malware, are increasingly becoming targets of sophisticated cyber threats. A notable example is FrigidStealer, a malware specifically designed to exploit macOS users through deceptive update notifications. This development challenges the long-held perception of Apple’s robust security and highlights the evolving tactics of cybercriminals.
Description
Apple devices are increasingly targeted by malware [6], with a sophisticated infostealer named FrigidStealer specifically aimed at macOS users through deceptive fake update notifications. This malware, attributed to the threat actor TA2727 [1] [4], spreads via misleading browser update alerts, challenging the previous notion of Apple devices being largely immune to malware threats [3]. Once downloaded [5], FrigidStealer requires manual execution as an unsigned application [4] [5], which then runs an embedded Mach-O executable to initiate data theft [5].
FrigidStealer is linked to TA569, a threat actor associated with the cybercrime syndicate EvilCorp, which has been active since 2022 [3]. TA569 primarily employs fake updates as a method to deliver malware [3], utilizing website injections and deploying a JavaScript payload known as FakeUpdates/SocGholish [6]. In 2023, new groups TA2726 and TA2727 emerged [6], collaborating with TA569 in web inject campaigns. TA2727 has been observed delivering FrigidStealer alongside malware targeting Windows and Android systems [6], with campaigns tailored to users based on geography or device, delivering different payloads accordingly [4].
When a user clicks the “Update” button on a Mac [2], the TA2727 traffic distribution service downloads a DMG file that the user is prompted to mount. The malware actor customizes its appearance based on the user’s browser [1], either Google Chrome or Safari [2], presenting an icon that corresponds to the browser used [2]. To bypass macOS’s Gatekeeper security feature [2], users are instructed to manually launch the unsigned application by right-clicking the icon and selecting Open, allowing the execution of the embedded Mach-O executable [2].
TA2726 is assessed to function as a traffic distribution service for TA569 and TA2727 [6], with some campaigns previously attributed to TA569 now linked to these new actors [6]. Once installed, the FrigidStealer executable employs AppleScript to gain elevated privileges [5], prompting the user for their password and extracting sensitive data [2], including saved passwords, browsing history [5], browser cookies [1] [2], cryptocurrency-related files from the Desktop and Documents folders [2], and Apple Notes [1] [2]. The gathered data is stored in the user’s home directory and exfiltrated to the command and control server askforupdate[. [2]]org.
The FrigidStealer campaign was detected in January 2025 [6], focusing on Mac users outside North America [3], with a noted increase in attacks particularly within enterprise environments [1]. Users visiting compromised websites were redirected to a fake update page [6], which [1] [2] [3] [5] [6], upon clicking the Update button [2] [6], would download and install FrigidStealer [6]. Proofpoint noted that in 2025 [3], TA2726 was redirecting traffic to TA569 in North America and to TA2727 in other regions [3]. The rise of macOS information stealers indicates a growing trend where actors utilize web compromises to deliver malware targeting both enterprise and consumer users [2], including Mac users [2], who are less prevalent in enterprise environments compared to Windows users [2].
FrigidStealer poses significant risks to both personal and corporate data [5], potentially leading to identity theft and direct financial losses through unauthorized transactions. It can exfiltrate sensitive corporate information [5], resulting in competitive disadvantages and potential regulatory fines for data breaches [5]. Additionally, the malware can cause reputational damage to businesses [5], eroding customer trust and impacting long-term financial stability [5]. Furthermore, infections can disrupt business operations [5], resulting in downtime and loss of productivity [5]. To mitigate the risks associated with FrigidStealer [5], it is crucial for users and organizations to adopt best practices [5], including regular software updates [5], robust antivirus solutions [5], and user education on recognizing phishing attempts [5]. The trend among threat actors to utilize cross-platform development frameworks also indicates a strategic effort to exploit vulnerabilities in macOS defenses [1].
Conclusion
The emergence of FrigidStealer underscores the growing threat of malware targeting Apple devices, challenging the perception of their invulnerability. This malware not only threatens personal and corporate data but also poses significant financial and reputational risks. To combat these threats, it is essential for users and organizations to implement comprehensive security measures, including regular updates, effective antivirus solutions, and user education [5]. As cybercriminals continue to evolve their tactics, staying informed and vigilant is crucial to safeguarding against future threats.
References
[1] https://www.techrepublic.com/article/mac-malware-web-inject-proofpoint/
[2] https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware
[3] https://www.newsminimalist.com/articles/proofpoint-reveals-new-frigidstealer-malware-targeting-macos-devices-55d24f43
[4] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-february-18-2025
[5] https://cts-tex.com/2025/02/18/understanding-the-frigidstealer-threat/
[6] https://www.infosecurity-magazine.com/news/proofpoint-frigidstealer-new-mac/
