An Update on Fake Updates: Two New Actors, and New Mac Malware
Essential information
- Published
- 18/02/2025 15:38
- Modified
- 18/02/2025 17:55
- Tags
- 2025-02-18 deerstealer doiloader fake updates frigidstealer gholoader lumma stealer macos malware marcher socgholish traffic distribution web inject
- Related entities
- 10 observables, 1 intrusion sets (apt), 14 techniques (mitre), 7 malware, 4 others
Description
Proofpoint has identified two new cybercriminal threat actors, TA2726 and TA2727, operating web inject campaigns. TA2726 acts as a traffic distribution service for TA569 and TA2727, while TA2727 delivers various malware payloads including a new MacOS information stealer called FrigidStealer. The landscape of web inject campaigns is expanding, with multiple copycat actors using similar techniques, making it challenging to track distinct activities. These campaigns typically involve malicious injects, traffic distribution services, and ultimate payloads, sometimes managed by different actors. The attacks use fake browser update lures to deliver malware to Windows, Android, and now Mac systems.