FrigidStealer: The New Infostealer Infecting Macs via Fake Browser Updates
EJ
Cybercriminals continue to refine their tactics, and the latest evolution in infostealer malware is targeting macOS users through deceptive browser update campaigns. Known as FrigidStealer, this Go-based malware—delivered via fake update prompts—exemplifies the growing sophistication of threat actors. In this article, we break down how the attack works, detail its multi-platform reach, and offer tips on how to protect yourself.
What Is FrigidStealer and How Does It Work?
FrigidStealer is part of a broader FakeUpdate campaign, where threat actors inject malicious JavaScript into compromised websites. These scripts display fake browser update notifications that appear to come from legitimate sources like Google or Safari. When users click the “Update” button, they unwittingly download a malicious executable.
In this campaign, two cybercrime groups—identified as TA2726 and TA2727—collaborate. TA2726 serves as the traffic distributor, leveraging tools like Keitaro TDS to channel visitors to the infected sites, while TA2727 acts as the malware distributor. Although the campaign targets multiple platforms, FrigidStealer specifically focuses on macOS, delivering a DMG file that installs the malware.
The Attack Process: A Multi-Stage Infostealer Campaign
The attack unfolds in several stages:
- Delivery via Fake Updates:
Attackers breach websites and inject JavaScript that triggers a fake browser update prompt. This prompt is carefully designed to mimic genuine update notifications, tricking users into clicking “Update.” - Multi-Platform Payloads:
While Mac users receive a DMG file that installs FrigidStealer, Windows users get an MSI installer (delivering Lumma Stealer or DeerStealer) and Android users receive an APK with the Marcher banking trojan. This multi-platform approach expands the potential victim pool. - Social Engineering at Work:
The fake update message is the cornerstone of the social engineering strategy. Users are led to believe that their browser requires an urgent update to function correctly or to enhance security. For Mac users, this deception is particularly effective because the update must be manually initiated—requiring them to right-click and open the file, a step where the malware’s disguise as a legitimate update prevents suspicion. - Stealthy Data Exfiltration:
Once installed, FrigidStealer quietly extracts sensitive data from the infected Mac. It targets saved cookies, login credentials, and password files in browsers like Safari and Chrome. Additionally, it scans for crypto wallet data and extracts sensitive information from Apple Notes, documents, and spreadsheets. The collected data is compressed and exfiltrated to a command and control server at a domain resembling “askforupdate[.]org.”

The Broader Implications
Infostealer campaigns such as this are not only a threat to individual users but also represent a significant risk for organizations. The stolen data can lead to identity theft, financial fraud, and further network compromise. With attackers using minimal permissions and clever social engineering to mask their operations, the potential for widespread impact is high.
How to Protect Yourself from Fake Update Infostealer Attacks
While the tactics used in this campaign are sophisticated, there are practical steps you can take to protect yourself:
- Be Skeptical of Unexpected Updates:
Only download updates from official websites or through your browser’s built-in update mechanism. Avoid clicking on pop-up update alerts unless you’re certain of their legitimacy. - Verify Before You Click:
If you receive an unexpected update prompt, verify the URL and source. Look for inconsistencies in design, language, or branding that could indicate a fraudulent update. - Keep Your Software Up-to-Date:
Regularly update your operating system and applications directly through trusted channels to ensure you have the latest security patches. - Educate Yourself and Your Team:
Awareness is key. Learn to recognize the signs of social engineering and educate others on the risks associated with fake update prompts.
Why It Matters
Infostealer attacks like the FrigidStealer campaign underscore a broader trend where cybercriminals blur the lines between legitimate system updates and malicious software delivery. By targeting multiple platforms through a single campaign, these attackers maximize their impact and complicate efforts to track and mitigate their activities.
At TechHorizon Consulting, we recognize that cybercriminals are constantly refining their tactics to exploit unsuspecting users. The rise of FrigidStealer and similar infostealers highlights the importance of securing devices, enforcing strong authentication, and staying vigilant against deceptive attacks like fake browser updates.
If your organization relies on macOS, Windows, or Android devices, now is the time to strengthen your defenses against credential theft and malware infiltration. Contact TechHorizon Consulting today to assess your security posture and implement cutting-edge protection strategies that keep your business safe from emerging cyber threats.