Windows users get an MSI installer that loads Lumma Stealer or DeerStealer, Mac users receive a DMG file that installs the new FrigidStealer malware, and Android users receive an APK file that contains the Marcher banking trojan. FakeUpdate campaigns are when threat actors breach websites and inject malicious JavaScript into the HTML of web pages that display fake notifications that the user needs to install a browser update. The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer. Moreover, it scans for crypto wallet credentials stored in the MacOS Desktop and Documents folders, reads and extracts Apple Notes containing passwords, financial information, or other sensitive details, and collects documents, spreadsheets, and text files from the user's home directory. The new campaign was discovered by researchers at Proofpoint, who note that malicious JavaScript to display fake browser update messages is being adopted by a rising number of threat actors, making tracking and analysis increasingly tricky. TA2727 is a financially motivated threat group first identified in January 2025, deploying Lumma Stealer for Windows, Marcher for Android, and FrigidStealer for macOS. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The new malware is delivered to Mac users, but the same campaign also uses Windows and Android payloads to cover a broad range of targets. Mac users must manually launch the download by right-clicking on the file and then selecting Open, where they will be asked to enter their password to get past macOS Gatekeeper protections. The malware extracts saved cookies, login credentials, and password-related files stored in Safari or Chrome on macOS. From the user's perspective, the alert appears to come from Google or Safari, stating that a browser update needs to be installed to view the site. FrigidStealer is a Go-based malware built with the WailsIO framework to make the installer appear legitimate so no suspicion is raised during infection. In this campaign, TA2726 and TA2727 work together, with the former acting as the traffic distributor and facilitator and the latter as the malware distributor. Infostealer campaigns have become a massive global operation over the past few years, leading to devastating attacks on both home users and organizations.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Feb 2025 17:45:08 +0000