A sophisticated and evolving malware campaign is targeting users across multiple platforms, including macOS, Windows, and Android, deploying a variety of information-stealing malware. Cybersecurity researchers at Proofpoint have uncovered this activity, attributing it to a previously unknown threat actor they’ve designated TA2727. This campaign leverages web injects, a technique where malicious code is inserted into legitimate websites, to deliver its diverse payloads.
The campaign relies on deceptive tactics, primarily fake update-themed lures, tricking unsuspecting users into downloading and installing malicious software disguised as legitimate updates for popular web browsers like Google Chrome or Microsoft Edge. This social engineering element is crucial to the campaign’s success, exploiting users’ trust in familiar update mechanisms.
TA2727 operates within a larger network of interconnected threat actors, including TA2726 and TA569. TA2726 functions as a malicious traffic distribution system (TDS), a sophisticated network that redirects web traffic to malicious sites controlled by the attackers. This infrastructure allows TA2727 and TA569 to efficiently distribute their malware across a wide range of potential victims. TA569, known for distributing the SocGholish (FakeUpdates) JavaScript loader, often compromises legitimate websites and injects malicious code that mimics browser updates, further blurring the lines between legitimate and malicious content.
The connection between these threat actors highlights the complex and collaborative nature of modern cybercrime. “TA2726 is financially motivated and works with other financially motivated actors such as TA569 and TA2727,” Proofpoint researchers noted. “That is, this actor is most likely responsible for the web server or website compromises that lead to injects operated by other threat actors.” This division of labor allows each actor to specialize in their respective roles, increasing the overall effectiveness of the campaign.
TA2727’s unique approach lies in its ability to customize malware delivery based on the victim’s geographic location and the type of device they are using. A user visiting a compromised website from a Windows machine in France or the U.K., for example, will be presented with a fake update prompt. This leads to the download of an MSI installer that initiates the infection chain, deploying Hijack Loader (also known as DOILoader), which subsequently loads the Lumma Stealer, a known information stealer targeting Windows systems.
The same compromised website, when visited from an Android device, will deliver a completely different payload: Marcher, a long-standing and sophisticated banking trojan that has been active for over a decade. This demonstrates TA2727’s ability to adapt its attack vectors to different operating systems and maximize its reach.
Adding another layer of complexity, TA2727 has recently expanded its targeting to include macOS users outside of North America. Since January 2025, these users are redirected to a specially crafted fake update page that downloads a new macOS information stealer dubbed FrigidStealer.
The FrigidStealer installer employs familiar macOS malware tactics, requiring users to explicitly launch the unsigned application to bypass Apple’s Gatekeeper security protections. Once executed, it runs a Mach-O executable, written in the Go programming language and ad-hoc signed, to install the malware. The executable is cleverly built with the WailsIO project, which renders content within the user’s browser window, further enhancing the social engineering aspect of the attack and making the malicious installer appear legitimate. This sophisticated approach aims to convince the victim that the installer is a genuine Chrome or Safari update.
FrigidStealer, like other macOS information stealers, uses AppleScript to prompt the user for their system password, granting it elevated privileges to carry out its malicious activities. This access allows the malware to harvest files and sensitive information from a variety of applications, including web browsers, Apple Notes, and even cryptocurrency-related apps, demonstrating the breadth of data targeted by this malware.
Proofpoint researchers stress that this campaign exemplifies the growing trend of web compromises being used to deliver tailored malware targeting different platforms. They predict that such targeted attacks, including those aimed at macOS users, will become increasingly prevalent in the future.
This multi-platform campaign coincides with the discovery of other sophisticated macOS malware, such as Tiny FUD, a fully undetectable backdoor, and new information stealers like Astral Stealer and Flesh Stealer. These discoveries underscore the escalating sophistication of macOS malware and the need for users across all platforms to remain vigilant against these ever-evolving cyber threats. The interconnectedness of the cybercrime ecosystem, as evidenced by the collaboration between TA2727, TA2726, and TA569, further complicates the challenge of defending against these attacks. As threat actors continue to refine their tactics and expand their reach, users must adopt a proactive and multi-layered approach to security to protect their devices and sensitive information.
Leave a Reply