A novel macOS malicious software named FrostyStealer is circulating via counterfeit browser update notifications, enabling cybercriminals to pilfer confidential information, as per findings from Proofpoint. This advanced scheme, ingrained in valid websites, deceives users into skirting macOS security protocols. Upon installation, the malware harvests browser cookies, saved passcodes, crypto-related data, and Apple Notes – potentially exposing both personal and corporate information.
The two freshly identified threat groups oversee components of these web-inject operations:
- TA2726, potentially serving as a distribution hub for other cybercriminals.
- TA2727, a faction dispersing FrostyStealer and malicious software for Windows and Android. They might utilize fake update notifications to activate malware and can be distinguished by their utilization of legitimate websites to dispatch deceptive update messages.
Both threat groups offer traffic for sale and propagate malware.
False alerts trick Mac users into evading security
The deceptive update scheme comprises misleading directives tailored to aid cybercriminals in circumventing macOS security protocols.
In late January 2025, Proofpoint uncovered that TA2727 employed deceptive update notifications to implant data-siphoning malware on macOS devices outside the U.S. The campaign integrates counterfeit “Update” buttons on seemingly secure websites, creating the illusion of a necessary browser update. These deceptive updates can be transmitted via Safari or Chrome.
If a user triggers the infected update alert, a DMG file is automatically downloaded. The malware detects the victim’s browser and exhibits bespoke, official-looking directives and icons to lend legitimacy to the download process.
The directives walk the user through a sequence that avoids macOS Gatekeeper, typically responsible for alerting users about untrusted application installations. Once executed, a Mach-O executable installs FrostyStealer.
If users input their password during the process, the intruder gains entry to “browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created,” ProofPoint stated.
SEE: This checklist contains everything employers need to vet employees for security-sensitive tasks.
How to protect against web inject operations
Given that perpetrators might disseminate this malware through authentic websites, security teams may encounter challenges in detecting and thwarting the menace. However, Proofpoint advocates the subsequent top practices to fortify defenses:
- Deploy endpoint protection and network detection solutions, like Proofpoint’s Emerging Threats ruleset.
- Train users to recognize the attack pattern and alert security teams about suspicious behavior. Incorporate awareness about these deceits into prevailing security education programs.
- Refrain Windows users from downloading script files and opening them in formats other than plain text. This can be configured via Group Policy setups.
MacOS risks are on the rise
In January 2025, SentinelOne witnessed an uptick in assaults targeting macOS devices in corporate environments. Moreover, a growing number of threat actors are embracing cross-platform development frameworks to craft malware that functions across various operating systems.
“These trends indicate a deliberate endeavor by attackers to expand their activities while capitalizing on weaknesses in macOS defenses that are frequently disregarded in business settings,” noted Phil Stokes, a threat analyst at SentinelOne.
About Author
