A new macOS malware called FrigidStealer is spreading through fake browser update alerts, allowing attackers to steal sensitive data, according to research from Proofpoint. This sophisticated campaign, embedded in legitimate sites, tricks users into bypassing macOS security measures. Once installed, the malware extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes – potentially exposing both personal and enterprise data.
The two newly identified threat actors operate parts of these web-inject campaigns:
- TA2726, which may act as a traffic distribution service for other threat actors.
- TA2727, a group that distributes FrigidStealer and malware for Windows and Android. They may use fake update alerts to enable malware and are identifiable by their use of legitimate websites to send scam update alerts.
Both threat actors sell traffic and distribute malware.
Fake updates trick Mac users into bypassing security
The update scam includes deceptive instructions designed to help attackers evade macOS security measures.
At the end of January 2025, Proofpoint found that TA2727 used scam update alerts to place information-stealing malware on macOS devices outside of the United States. The campaign embeds fake “Update” buttons on otherwise secure websites, making it appear as though a routine browser update is required. These fake updates can be delivered through Safari or Chrome.
If a user clicks the infected update alert, a DMG file automatically downloads. The malware detects the victim’s browser and displays customized, official-looking instructions and icons that make the download appear legitimate.
The instructions guide the user through a process that bypasses macOS Gatekeeper, which would normally warn the user about installing an untrusted application. Once executed, a Mach-O executable installs FrigidStealer.
If users enter their password during the process, the attacker gains access to “browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created,” ProofPoint said.
SEE: This checklist contains everything employers need to vet employees for security-sensitive tasks.
How to defend against web inject campaigns
Because attackers may distribute this malware through legitimate websites, security teams may struggle to detect and mitigate the threat. However, Proofpoint recommends the following best practices to strengthen defenses:
- Implement endpoint protection and network detection tools, such as Proofpoint’s Emerging Threats ruleset.
- Train users to identify how the attack works and report suspicious activity to their security teams. Integrate knowledge about these scams into existing security awareness training.
- Restrict Windows users from downloading script files and opening them in anything other than a text file. This can be configured via Group Policy settings.
macOS threats are escalating
In January 2025, SentinelOne observed a rise in attacks targeting macOS devices in enterprises. Additionally, more threat actors are adopting cross-platform development frameworks to create malware that works across multiple operating systems.
“These trends suggest a deliberate effort by attackers to scale their operations while exploiting gaps in macOS defenses that are often overlooked in enterprise environments,” wrote Phil Stokes, a threat researcher at SentinelOne.