An Update on Fake Updates: Two New Actors, and New Mac Malware

Key findings 

• Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. 
• Proofpoint identified a new MacOS malware delivered via web inject campaigns that our researchers called FrigidStealer.  
• The web inject campaign landscape is increasing, with a variety of copycat threat actors conducting similar campaigns, which can make it difficult for analysts to track.  

Overview 

The malicious website injects threat landscape is incredibly dynamic with multiple threat actors leveraging this malware delivery method. Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors.  

Historically, TA569 was the main distributor of web inject campaigns, with its SocGholish injects leading to malware installation and follow-on ransomware attacks. This actor became almost synonymous with “fake updates” within the security community. But beginning in 2023, multiple copycats emerged using the same web inject and traffic redirection techniques to deliver malware. The influx of multiple actors – some of which collaborate with each other – paired with the fact that websites can be compromised by multiple injects at one time, makes it difficult to distinctly track and categorize threat actors conducting these attacks. Proofpoint is publishing this report to help delineate two distinct sets of activity.  

Proofpoint researchers recently designated two new threat actors, TA2726 and TA2727. These are traffic sellers and malware distributors and have been observed in multiple web-based attack chains like compromised website campaigns, including those using fake update themed lures. They are not email-based threat actors, and the activity observed in email campaign data is related to legitimate, but compromised websites.  

Notably, TA2727 was recently observed delivering a new information stealer for Mac computers alongside malware for Windows and Android hosts. Proofpoint researchers dubbed this FrigidStealer. 

Proofpoint is reassessing existing activity related to TA569 and previous reporting, and assesses with high confidence TA2726 acts as a traffic distribution service (TDS) for TA569 and TA2727.  

 

Actor details: TA2726 

TA2726 appears to be a traffic seller and operates a TDS that can serve other threat actors to facilitate their malware distribution. The actor is possibly advertising traffic selling on cybercrime forums, however Proofpoint researchers are unable to confirm this with high confidence. TA2726 is financially motivated and works with other financially motivated actors such as TA569 and TA2727. That is, this actor is most likely responsible for the webserver or website compromises that lead to injects operated by other threat actors. 

Proofpoint can confirm this threat actor has been active since at least September 2022. This actor, like other compromised website threat actors, does not conduct email campaigns, and the activity observed in email is only incidental/collateral. That is, the compromised websites are shared legitimately in email messages, unbeknownst to the sender that they are compromised. 

So far in 2025, Proofpoint has observed the use of TA2726 TDS to redirect traffic to TA569 (in North America) while redirecting most of other countries to TA2727 delivering Lumma Stealer (Windows), DeerStealer (Windows), FrigidStealer (Mac), or Marcher (Android). Proofpoint is able to identify TA2726 activity distinctly from other threat actors based on the actor’s infrastructure including the use of Keitaro and consistent domain patterns and IP addresses.  

Analyst Note: Retrospective analysis from January 2025 has led analysts to believe with high confidence the TDS activity observed in previously reported SocGholish activity can be attributed to TA2726. Analysis of this threat actor and any historic activity associated with it is ongoing. 

Example TA2726 Injects on compromised websites: 

Example TA569 Response from TA2726: 

Example TA2727 Response from TA2726: 

Actor details: TA2727 

TA2727 is a cybercriminal group driven by financial motives and has been observed collaborating with other actors who share similar profit-oriented objectives. Proofpoint assesses with moderate confidence this actor purchases traffic on online forums to disseminate malware, which may be their own or that of their potential clients. 

Proofpoint first designated TA2727 as a named threat actor in an early January 2025 campaign while investigating a suspected TA569 attack chain that appeared to deliver different payloads based on recipients’ geography. In the campaign, emails contained URLs linking to websites compromised with malicious JavaScript website injects. When a user visited a compromised website, TDS domains directed traffic to various actor-controlled domains to deliver a malicious payload. Proofpoint researchers observed the attack chain serving a known SocGholish inject in the U.S. and Canada. (TA2726 was responsible for the TDS redirect leading to both the SocGholish inject and the TA2727 inject, and this actor is described in a further section of this report.) 

Researchers observed the campaign deliver another unique fake update chain in France and the UK, with a different payload based on the visitor’s user agent and browser. TA2727 was responsible for this part of the chain originating in Europe and the subsequent payload download. Proofpoint is able to identify TA2727 traffic distinctly from other web inject clusters based on their IP addresses and domain patterns. For example: 

        deski[.]fastcloudcdn[.]com 

        cloudfasterapp[.]com 

        fastcloudcdn[.]com 

If a user visited a compromised website in France or the UK on a Windows computer using Microsoft Edge or Google Chrome, the website would redirect them to instructions on how the user needs to update their browser. When the “Update” button was clicked, an MSI file was downloaded and the webpage displayed instructions on how to install the payload.  

Fake update displayed to the user (left) and subsequent instructions page once the payload was clicked (right).  

The MSI installed and executed the legitimate and signed application “Rene.E Facebook Widget”. However, one of the bundled DLLs was trojanized with DOILoader, which was side loaded upon execution. DOILoader then ran Lumma Stealer, which was encoded in a bundled m4a file.  

Traffic capture from a Windows device running Google Chrome. The site is redirected by TA2726 (blackshelter[.]org) which serves the TA2727 script (via fastcloudcdn[.]com); which then displays the fake update download page leading to malware installation.  

However, if a user was on an Android device, they would be given the same fake update redirect and download instructions, but the payload would be the Marcher banking trojan. Marcher is an old banking trojan that has targeted Android devices since 2013.  

Fake update on Android delivering Marcher.  

Proofpoint then identified another campaign at the end of January 2025 using the same tactics, techniques, and procedures (TTPs) to deliver the same payloads. In that campaign, the TA2727 payloads included a new information stealer targeting MacOS. If a Mac user outside of North America visited the compromised website from a web browser, they were redirected to a fake update page that, if the Update button was clicked, downloaded and installed an information stealer. Proofpoint researchers named this malware FrigidStealer.  

Fake update lure delivering FrigidStealer via Safari (left) and Chrome (right).  

MacOS malware 

If the user clicked on the “Update” button via a Mac computer, the TA2727 TDS downloaded a DMG file that the user is encouraged to mount. The actor used filtering to determine what browser the recipient used and downloaded the payload that aligned with their browser.   

DMG file downloaded from the compromised website.  

Upon opening the DMG, an icon was displayed depending on which browser they used upon interacting with the TDS, either Google Chrome or Safari. The DMG displayed these browser icons and instructions to run the application by right clicking the icon and selecting Open from that menu. 

Malicious “Google Chrome” updater.  

Right clicking and selecting Open bypassed the MacOS security feature called Gatekeeper, which would otherwise warn the user that the application is unsigned and untrusted. (This is a very common technique used by Mac malware authors to effectively run malware on a host.) Clicking Open ran the embedded Mach-O executable, which led to the installation of FrigidStealer. The executable was written in Go, and was ad-hoc signed (effectively a self-signed binary). The executable was built with the WailsIO project, which renders content in the user's browser. This adds to the social engineering of the victim, implying that the Chrome or Safari installer was legitimate.   

Malicious “Safari Updater” with the System Preferences prompt to enter the legitimate password to install the malware.  

Upon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.  

The osascript containing extensions and cookies to steal from a compromised user.  

That data is added to folders in the user’s home directory and then exfiltrated to C2, askforupdate[.]org.  

MacOS information stealers are increasingly common. Actors are using web compromises to deliver malware targeting both enterprise and consumer users. It is reasonable that such web injects will deliver malware customized to the recipient, including Mac users, which are still less common in enterprise environments than Windows.  

Best practices 

The activity detailed in this report can be hard for security teams to detect and prevent and may present difficulties with communicating the threat to end users due to the social engineering techniques and website compromises used by the threat actor. The best mitigation is defense in depth. The following is recommended: 

• Have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection. 
• Train users to identify the activity and report suspicious activity to their security teams. While the training is specific in nature, it can easily be integrated into an existing user training program.  
• A tool such as Proofpoint’s Browser Isolation can help prevent successful exploitation when compromised URLs are received via email and clicked on.  
• Restrict Windows users from downloading script files and opening them in anything but a text file. This can be configured via Group Policy settings.  

Conclusion 

Proofpoint continues to track a variety of web inject threat clusters, and the number of clusters conducting similar activities continues to increase. The growing threat of web injects is likely due in part to organizations building stronger defenses against threats such as email-based malware delivery and edge device network exploitation, forcing threat actors to adapt.  

This attack chain is effective because it uses believable and customized social engineering techniques, and organizations may have less scrutiny focused on the security websites and web servers than other parts of the organization. Often, corporate website management may be outsourced to a third-party hosting provider.   

User training is one of the most important ways to prevent exploitation. 

Example Emerging Threats signatures 

2054863 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blacksaltys .com) 

2054862 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blacksaltys .com) 

2054718 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (packedbrick .com) 

2057111 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (promiseresolverdev .com) 

2057112 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (promiseresolverdev .com) 

2057144 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (objmapper .com) 

2057145 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (variablescopetool .com) 

2057146 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (objmapper .com) 

2057147 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (variablescopetool .com) 

2057152 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (loopconstruct .com) 

2057153 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (loopconstruct .com) 

2057447 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (leatherbook .org) 

2057448 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (leatherbook .org) 

2058047 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blackshelter .org) 

2058048 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blackshelter .org) 

2058147 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (groundrats .org) 

2058148 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (groundrats .org) 

2058328 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (foundedbrounded .org) 

2058329 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (foundedbrounded .org) 

2059061 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (fetchdataajax .com) 

2059062 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (apistateupdater .com) 

2059063 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (hearforpower .org) 

2059064 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (goneflower .org) 

2059065 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (apivuecomponent .com) 

2059066 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (smthwentwrong .com) 

2059067 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (digdonger .org) 

2059068 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (modernkeys .org) 

2059069 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blessedwirrow .org) 

2059070 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (fetchdataajax .com) 

2059071 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (apistateupdater .com) 

2059072 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (hearforpower .org) 

2059073 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (goneflower .org) 

2059074 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (apivuecomponent .com) 

2059075 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (smthwentwrong .com) 

2059076 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (digdonger .org) 

2059077 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (modernkeys .org) 

2059078 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blessedwirrow .org) 

2055240 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (brickedpack .com) 

2055243 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (losttwister .com) 

2055241 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (losttwister .com) 

2055242 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (brickedpack .com) 

2059371 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (rednosehorse .com) 

2059372 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (rednosehorse .com) 

Indicators of compromise