Two threat actors, identified as TA2726 and TA2727, are orchestrating sophisticated web injection campaigns to distribute malware, including the novel FrigidStealer, which targets Mac users.
Researchers observed that these threat actors leverage compromised websites and traffic distribution services (TDS) to execute multi-stage attack chains, deploying payloads based on victims’ geolocation and device type.
TA2726 has been identified as a TDS operator, redirecting traffic to different malware distributors. While this group is financially motivated, researchers have still to confirm whether the group is advertising the malware directly or not. The group has been active since at least September 2022 and works in collaboration with multiple groups like TA569 and TA2727.
TA2726’s infrastructure uses Keitaro-based redirects and consistent domain patterns. This action helps security researchers to distinguish the threat actors’ activities. In 2025, the group changed its tactics and started to direct traffic to TA569 in North America. Also, other users were redirected to TA2727, which delivers like Lumma Stealer (Windows), DeerStealer and Marcher (both for Android), FrigidStealer (Mac).
TA2727 is also a financially motivated actor that purchases traffic on cybercrime forums to distribute malware. Researchers observed that TA2727 targets Windows in Europe, displaying fake update pages when they visit compromised sites using Chrome or Edge. The updates install an MSI file, which sideloads DOILoader to execute Lumma Stealer. Similarly, TA2727 targets Android users via Marcher and DeerStealer malware.
A major revelation is the introduction of the FrigidStealer malware targeting macOS users. Researchers observe that when Mac users outside North America access infected websites, they are redirected to fake update pages that prompt them to download a DMG file.
The malware tricks victims into clicking ‘Open’ on a DMG file, which allows it to bypass Apple’s Gatekeeper protections. Once executed, the malware gathers browser cookies, sensitive documents, and Apple Notes, then sends this information to the attacker’s command and control (C2) server at askforupdate[.]org.
Researchers have urged organisations and individuals to implement network detection tools, deploy browser isolation solutions, and restrict Windows users from executing script files unless opened in a text editor.
“This attack chain is effective because it uses believable and customised social engineering techniques, and organisations may have less scrutiny focused on the security websites and web servers than other parts of the organisation,” researchers concluded. “Often, corporate website management may be outsourced to a third-party hosting provider. User training is one of the most important ways to prevent exploitation.”
In the News: XMRig cryptominer distributed via trojanised game torrents
