# Malware attacks users macOS through the updates of the browser

## **Overview**

Recently, new malware variants targeting MacOS users have been increasing, along with their severity. Notably, hacker groups TA2726 and TA2727 have launched a new malware campaign called Frigidstealer.

The new malware is delivered to Mac users, but the same campaign also uses Windows and Android payloads to target a variety of other victims. FrigidStealer can cause serious consequences when it infiltrates a victim's system. Here are its main impacts:

* Personal data theft
    
* Financial threats
    
* Espionage and user monitoring
    
* Loss of device control
    
* Spread and expansion of attacks
    

## Exploitation methods

**FrigidStealer** is a type of **stealer malware** designed to steal sensitive information from the victim's device. Its operation can be divided into 5 main stages as follows:

**1\. Distribution and Infection**

* Initially, the attackers insert malicious JavaScript code into the HTML of websites, displaying fake notifications that prompt users to install a browser update.
    

![Fake update prompts on compromised websites](https://www.bleepstatic.com/images/news/u/1220909/2025/February/fake-update.jpg align="center")

* When the victim clicks on Update on their device, a DMG file is downloaded. Here, the hacker group uses filters to determine which browser the victim is using and downloads the payload that matches that browser.
    

![Figure 8](https://www.proofpoint.com/sites/default/files/inline-images/Screenshot%202025-02-14%20at%208.35.44%E2%80%AFAM.png align="center")

**\=&gt; The downloaded file is named** `"Safari_6.1.13.dmg"`. This file contains a Hash code that is deemed malicious according to TI sources and is associated with various threats used by attackers.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1740367500998/ed5d8b71-6c06-41bf-94c9-80a5373e55f4.png align="center")

**2\. Activation and Background Running**

* Malicious file: `Safari_6.1.13.dmg` once activated, displays depending on whether the victim is using Google Chrome or Safari. The DMG file shows icons and instructs the browser to run the application by right-clicking the icon and selecting open from the menu.
    

![Figure 9](https://www.proofpoint.com/sites/default/files/inline-images/Screenshot%202025-02-14%20at%208.35.51%E2%80%AFAM.png align="center")

* Then a system update warning for Safari will be displayed, prompting the victim to enter their password. Once the victim enters the password, the malware is immediately installed and begins collecting and exploiting sensitive information such as:
    
    * Browser cookies.
        
    * Files with extensions related to password or cryptocurrency documents from the victim's desktop and documents.
        

![Figure 10](https://www.proofpoint.com/sites/default/files/inline-images/Screenshot%202025-02-14%20at%208.35.58%E2%80%AFAM.png align="center")

**3\. Data Collection**

* In this campaign, the attackers use a script written in **AppleScript**, a macOS programming language used to automate tasks, to carry out the data collection process from the victim.
    

![Figure 11](https://www.proofpoint.com/sites/default/files/inline-images/Screenshot%202025-02-14%20at%208.36.06%E2%80%AFAM.png align="center")

* The **AppleScript code will perform three main tasks for the attackers:**
    
    * **Retrieve and copy Safari browser cookies:**
        
        * Identify the macOS version to find the directory path containing Safari's data.
            
        * Copy the `Cookies.binarycookies` file from the **Safari** directory to another folder (**fileGrabberFolderPath**).
            
        * This is a **cookie theft** action, allowing hackers to hijack the victim's login session.
            
    * **Stealing Data from Apple Notes**
        
        * Copy the `NoteStore.sqlite` database (which contains the content of Apple Notes) to another folder.
            
    * **Search and steal important files from the Desktop**
        
        * Check files on the **Desktop**.
            
        * Filter out files with **sensitive extensions**, such as:
            
            * **Personal documents**: `txt`, `docx`, `rtf`, `doc`, `md`.
                
            * **Cryptocurrency wallets**: `wallet`, `keys`, `key`, `kdbx`.
                
            * **Configuration files with sensitive information**: `env`.
                
        * If the file is smaller than **50KB**, it will be copied to the **fileGrabberFolderPath** folder.
            

**4\. Send data to the C2 server**

* After collecting data from the victim's machine, the attackers will send that data through **Telegram, Discord Webhook, or the hacker's C2 server**.
    
* In this campaign, a C2 server: askforupdate\[.\]org was recorded.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1740370536002/d2ad92c9-1ae6-47aa-b7c9-2b97be8521f1.png align="center")

**5\. Maintain operation and spread within the system**

* Besides stealing data and sending it to the C2 server, FrigidStealer can also **automatically update** or download additional malware like **Astral Stealer** and **Flesh Stealer.**
    
* Some variants have the ability to **self-delete traces** after performing the theft.
    

## **Recommendations**

FrigidStealer is malware that steals sensitive information from computers, including **passwords, browser cookies, cryptocurrency wallets, and important files**. To protect your device from this malware, you should take the following measures:

* Avoid downloading software from untrusted sources.
    
    * Do not download **cracks, keygens, or pirated software** from unknown websites.
        
    * Avoid downloading files from **Discord, Telegram, or dark forums**, as hackers often spread malware through these platforms.
        
* Check and protect your web browser
    
    * **Delete cookies and saved passwords in the browser** to reduce the risk of data theft.
        
    * **Use a password manager** instead of saving passwords directly in the browser.
        
    * **Disable unnecessary WebRTC and JavaScript** if you are concerned about security vulnerabilities being exploited.
        
* Protect personal accounts
    
    * **Disable unnecessary WebRTC and JavaScript** if you are concerned about security vulnerabilities being exploited.
        
    * **Use strong passwords and do not reuse old passwords** to avoid being hacked from previous data breaches.
        
* Check the system for signs of FrigidStealer infection.
    
    * **Scan the system with strong antivirus software** (Windows Defender, Malwarebytes, Kaspersky, Bitdefender, etc.).
        
    * **Check background processes** using **Task Manager (Windows)** or **Activity Monitor (macOS)** to detect any suspicious applications.
        
    * **Check network connections** to see if any data is being sent to suspicious servers: `netstat -an | grep ESTABLISHED`.
        
* Be cautious with unfamiliar emails and links.
    
    * **Do not open unfamiliar emails with attachments** (PDF, DOCX, ZIP, EXE…).
        
    * **Check links before clicking**, especially those asking you to log in again.
        

## **Conclusion**

Currently, **FrigidStealer mainly targets the Windows operating system**, but that doesn't mean macOS is completely safe. **Other variants or similar data-stealing software can operate on macOS** by using different methods to gather sensitive information from the system.

There is an increasing number of malware variants targeting macOS users by embedding malicious code directly on websites, causing significant damage to information security systems. Raising awareness and training users are among the most important ways to prevent exploitation by hacker groups today.

## **IOC**

1. Domain C2
    
    * askforupdate\[.\]org
        
    * rednosehorse\[.\]com
        
    * blackshelter\[.\]org
        
    * deski\[.\]fastcloudcdn\[.\]com
        
    * slowlysmiling\[.\]fastcloudcdn\[.\]com
        
2. Hash
    
    * e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214
        
    * 274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973
        
    * ca172f8d36326fc0b6adef9ea98784fd216c319754c5fc47aa91fce336c7d79a
        
    * fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
        
    * d34c95c0563c8a944a03ee1448f0084dfb94661c24e51c131541922ebd1a2c75
        

## **References**

1. [New FrigidStealer Malware Targets macOS Users via Fake Browser Updates](https://thehackernews.com/2025/02/new-frigidstealer-malware-targets-macos.html)
    
2. [An Update on Fake Updates: Two New Actors, and New Mac Malware | Proofpoint US](https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware)
