This division of labor allows TA2726 to handle website compromises and traffic filtering, while TA2727 deploys tailored payloads, including FrigidStealer for macOS, Lumma Stealer for Windows, and Marcher banking trojan for Android. Cybersecurity firm Proofpoint identified two previously unknown threat actors, TA2726 and TA2727, collaborating to distribute this malware globally, marking a significant escalation in cross-platform cybercrime operations. A surge in malicious web inject campaigns has introduced FrigidStealer, a new macOS-specific information stealer, deployed via fake browser update prompts. TA2726, operating as a traffic distribution service (TDS), directs victims to payloads managed by TA2727, which specializes in malware delivery. Meanwhile, TA2727 emerged in early 2025, exploiting fake update lures to bypass security protocols across operating systems. Proofpoint notes TA2726 routes North American traffic to TA569’s SocGholish campaigns, historically linked to ransomware precursors like Cobalt Strike. TA569’s legacy SocGholish campaigns, for instance, now share infrastructure with TA2726 and TA2727, blurring historical attribution boundaries. Proofpoint’s analysis reveals TA2726 has been active since at least September 2022, using infrastructure like the Keitaro TDS to redirect users. When victims visit compromised websites, TA2726’s TDS serves a fraudulent browser update prompt (e.g., “Update Chrome” or “Update Safari”). User Training: Educate teams on recognizing fake update lures, emphasizing macOS-specific social engineering. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Feb 2025 19:15:12 +0000