A new Macos malware called Frigidstaler spread by false browser update alerts, allowing attackers to steal sensitive data, according to Proofpoint research. This sophisticated campaign, embedded in legal sites, uses users to bypass Macos security measures. Once installed, extract the malware browser cookies, stored passwords, cryptocurrency-related files and Apple-notes-which may expose both personal and business data.

Two newly identified threat actors operate parts of these web injection campaigns:

• TA2726, which can serve as a traffic distribution service for other threat actors.
• TA2727, a group that distributes Frigidstaler and Malware for Windows and Android. They can use false update warnings to enable malware and may be identifiable by using legal sites to send warnings on scam update.

Both threat actors sell traffic and distribute malware.

False updates Trick Mac users to bypass security

The update fraud contains misleading instructions designed to help attackers evade Macos safety measures.

At the end of January 2025, Proofpoint found that TA2727 used warnings for scam updates to put malware in information on Macos devices outside the United States. The campaign contains false “update” buttons on otherwise secure websites, which make it look like a routine browser update is needed. These false updates can be delivered by safari or chrome.

If a user clicks on the Infected Update Alert, automatically download a DMG file. The malware detects the victim’s browser and displays adjusted, official instructions and icons that make the download look legal.

The instructions guide the user through a process that bypasses Macos gatekeeper, which will normally warn the user about installing an unreliable application. Once performed, install a mach-o-exportable Frigidsticer.

If users enter their password during the process, the attacker gets access to “browser cookies, files with extensions relevant to password material or cryptocurrency from the tabletop of the victim and documents guides, and any Apple marks on the user who created the user , ”Proofpoint said.

See: This checklist contains everything that employers need to sweep employees for security -sensitive tasks.

How to defend against web injection campaigns such as FrigidStealer

As attackers can spread this malware on legal sites, security teams may struggle to detect and reduce the threat. However, proofpoint recommends the following best practices to strengthen the defense:

• Implement endpoint protection and network tracking instruments, such as Proofpoint’s upcoming threats rules.
• Train users to identify how the attack works and reports suspicious activities to their security teams. Integrate knowledge of this scam into existing security awareness training.
• Limit Windows users to download scrap files and open them in anything other than a text file. It can be configured via group policy institutions.

Macos threats are increasing

In January 2025, Sentinelone observed an increase in attacks targeting Macos devices in businesses. In addition, more threat actors take on cross-platform development frameworks to create malware that works across various operating systems.

“These trends indicate a deliberate attempt by attackers to scale their operations, while exploiting the gaps in Macos defense that are often overlooked in business environments,” wrote Phil Stokes, a threat researcher at Sentinelone.