{"id":79,"date":"2025-02-18T10:00:38","date_gmt":"2025-02-18T10:00:38","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4291456"},"modified":"2025-02-18T10:00:38","modified_gmt":"2025-02-18T10:00:38","slug":"new-mac-malware-poses-as-browser-updates","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/","title":{"rendered":"New Mac Malware Poses as Browser Updates"},"content":{"rendered":"<p>A new macOS malware called FrigidStealer is spreading through fake browser update alerts, allowing attackers to steal sensitive data, according to research from Proofpoint. This sophisticated campaign, embedded in legitimate sites, tricks users into bypassing macOS security measures. Once installed, the malware extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes \u2013 potentially exposing both personal and enterprise data.<\/p>\n<p>The two newly identified threat actors operate parts of these web-inject campaigns:<\/p>\n<ul>\n<li>TA2726, which may act as a traffic distribution service for other threat actors.<\/li>\n<li>TA2727, a group that distributes FrigidStealer and malware for Windows and Android. They may use fake update alerts to enable malware and are identifiable by their use of legitimate websites to send scam update alerts.<\/li>\n<\/ul>\n<p>Both threat actors sell traffic and distribute malware.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Fake_updates_trick_Mac_users_into_bypassing_security\"><\/span>Fake updates trick Mac users into bypassing security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The update scam includes deceptive instructions designed to help attackers evade macOS security measures.<\/p>\n<p>At the end of January 2025, Proofpoint found that TA2727 used scam update alerts to place information-stealing <a href=\"https:\/\/www.techrepublic.com\/article\/what-is-ghostgpt\/\">malware<\/a> on macOS devices outside of the United States. The campaign embeds fake \u201cUpdate\u201d buttons on otherwise secure websites, making it appear as though a routine browser update is required. These fake updates can be delivered through Safari or Chrome.<\/p>\n<p>If a user clicks the infected update alert, a DMG file automatically downloads. The malware detects the victim\u2019s browser and displays customized, official-looking instructions and icons that make the download appear legitimate.<\/p>\n<p>The instructions guide the user through a process that bypasses macOS Gatekeeper, which would normally warn the user about installing an untrusted application. Once executed, a Mach-O executable installs FrigidStealer.<\/p>\n<figure id=\"attachment_4291461\" aria-describedby=\"caption-attachment-4291461\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4291461\" src=\"https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25.jpg\" alt=\"Right-clicking bypasses MacOS Gatekeeper.\" width=\"1400\" height=\"819\" srcset=\"https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25.jpg 1400w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-300x176.jpg 300w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-1024x599.jpg 1024w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-768x449.jpg 768w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-50x29.jpg 50w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-770x450.jpg 770w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-370x216.jpg 370w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-270x158.jpg 270w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-740x433.jpg 740w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-540x316.jpg 540w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-1110x649.jpg 1110w, https:\/\/assets.techrepublic.com\/uploads\/2025\/02\/proofpoint-mac-stealer-feb-25-810x474.jpg 810w\" sizes=\"auto, (max-width: 1400px) 100vw, 1400px\"><figcaption id=\"caption-attachment-4291461\" class=\"wp-caption-text\">Right-clicking bypasses MacOS Gatekeeper. Image: Proofpoint<\/figcaption><\/figure>\n<p>If users enter their password during the process, the attacker gains access to \u201cbrowser cookies, files with extensions relevant to password material or cryptocurrency from the victim\u2019s Desktop and Documents folders, and any Apple Notes the user has created,\u201d ProofPoint said.<\/p>\n<p><strong>SEE: This checklist contains <a href=\"https:\/\/www.techrepublic.com\/resource-library\/checklist\/vetting-employees-for-security-sensitive-operations\/\">everything employers need to vet employees<\/a> for security-sensitive tasks.<\/strong><\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<h2><span class=\"ez-toc-section\" id=\"How_to_defend_against_web_inject_campaigns\"><\/span>How to defend against web inject campaigns<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Because attackers may distribute this malware through legitimate websites, security teams may struggle to detect and mitigate the threat. However, Proofpoint recommends the following best practices to strengthen defenses:<\/p>\n<ul>\n<li>Implement endpoint protection and network detection tools, such as Proofpoint\u2019s Emerging Threats ruleset.<\/li>\n<li>Train users to identify how the attack works and report suspicious activity to their security teams. Integrate knowledge about these scams into existing security awareness training.<\/li>\n<li>&nbsp;Restrict Windows users from downloading script files and opening them in anything other than a text file. This can be configured via Group Policy settings.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"macOS_threats_are_escalating\"><\/span>macOS threats are escalating<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In January 2025, <a href=\"https:\/\/www.sentinelone.com\/blog\/2024-macos-malware-review-infostealers-backdoors-and-apt-campaigns-targeting-the-enterprise\/\" target=\"_blank\" rel=\"noopener\">SentinelOne<\/a> observed a rise in attacks targeting macOS devices in enterprises. Additionally, more threat actors are adopting cross-platform development frameworks to create malware that works across multiple operating systems.<\/p>\n<p>\u201cThese trends suggest a deliberate effort by attackers to scale their operations while exploiting gaps in macOS defenses that are often overlooked in enterprise environments,\u201d wrote Phil Stokes, a threat researcher at SentinelOne.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new macOS malware called FrigidStealer is spreading through fake browser update alerts, allowing attackers to steal sensitive data, according to research from Proofpoint. This sophisticated campaign, embedded in legitimate sites, tricks users into bypassing macOS security measures. Once installed, the malware extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes \u2013 potentially exposing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":80,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog\" \/>\n<meta property=\"og:description\" content=\"A new macOS malware called FrigidStealer is spreading through fake browser update alerts, allowing attackers to steal sensitive data, according to research from Proofpoint. This sophisticated campaign, embedded in legitimate sites, tricks users into bypassing macOS security measures. Once installed, the malware extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes \u2013 potentially exposing [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/\" \/>\n<meta property=\"og:site_name\" content=\"TecnoArtesanos Tech Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-18T10:00:38+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/\",\"url\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/\",\"name\":\"New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.tecnoartesanos.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg\",\"datePublished\":\"2025-02-18T10:00:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/916668a9a70ddf289e9d96ac80241d7c\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage\",\"url\":\"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg\",\"contentUrl\":\"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg\",\"width\":1400,\"height\":819},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.tecnoartesanos.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Mac Malware Poses as Browser Updates\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/#website\",\"url\":\"https:\/\/blog.tecnoartesanos.com\/\",\"name\":\"TecnoArtesanos Tech Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.tecnoartesanos.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/916668a9a70ddf289e9d96ac80241d7c\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/256ca8173178315b3c2f61e1e816b31c2aa3f136547358daa258260f30184525?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/256ca8173178315b3c2f61e1e816b31c2aa3f136547358daa258260f30184525?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.tecnoartesanos.com\"],\"url\":\"https:\/\/blog.tecnoartesanos.com\/index.php\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/","og_locale":"en_US","og_type":"article","og_title":"New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog","og_description":"A new macOS malware called FrigidStealer is spreading through fake browser update alerts, allowing attackers to steal sensitive data, according to research from Proofpoint. This sophisticated campaign, embedded in legitimate sites, tricks users into bypassing macOS security measures. Once installed, the malware extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes \u2013 potentially exposing [&hellip;]","og_url":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/","og_site_name":"TecnoArtesanos Tech Blog","article_published_time":"2025-02-18T10:00:38+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/","url":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/","name":"New Mac Malware Poses as Browser Updates - TecnoArtesanos Tech Blog","isPartOf":{"@id":"https:\/\/blog.tecnoartesanos.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage"},"image":{"@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg","datePublished":"2025-02-18T10:00:38+00:00","author":{"@id":"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/916668a9a70ddf289e9d96ac80241d7c"},"breadcrumb":{"@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#primaryimage","url":"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg","contentUrl":"https:\/\/blog.tecnoartesanos.com\/wp-content\/uploads\/2025\/02\/new-mac-malware-poses-as-browser-updates.jpg","width":1400,"height":819},{"@type":"BreadcrumbList","@id":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/02\/18\/new-mac-malware-poses-as-browser-updates\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.tecnoartesanos.com\/"},{"@type":"ListItem","position":2,"name":"New Mac Malware Poses as Browser Updates"}]},{"@type":"WebSite","@id":"https:\/\/blog.tecnoartesanos.com\/#website","url":"https:\/\/blog.tecnoartesanos.com\/","name":"TecnoArtesanos Tech Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.tecnoartesanos.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/916668a9a70ddf289e9d96ac80241d7c","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.tecnoartesanos.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/256ca8173178315b3c2f61e1e816b31c2aa3f136547358daa258260f30184525?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/256ca8173178315b3c2f61e1e816b31c2aa3f136547358daa258260f30184525?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.tecnoartesanos.com"],"url":"https:\/\/blog.tecnoartesanos.com\/index.php\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":0,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/media\/80"}],"wp:attachment":[{"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tecnoartesanos.com\/index.php\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}