Protect your devices from the growing FakeUpdate malware campaign. Learn about FrigidStealer, Lumma Stealer, and Marcher trojan targeting macOS, Windows, Android.

Continue reading
A new wave of cybercrime campaigns is making waves, with two malicious groups—TA2726 and TA2727—distributing a potent macOS infostealer, FrigidStealer, through FakeUpdate schemes. These campaigns, first identified by Proofpoint researchers, also use Windows and Android payloads, significantly expanding their target range.
FakeUpdate campaigns are a key method for cybercriminals to distribute malware across devices. Malicious JavaScript is injected into compromised websites, prompting users with fake browser update notifications. The notification, which appears to be from legitimate services like Google or Safari, misleads users into downloading harmful files when they click "Update."
This malware distribution technique uses a Traffic Distribution System (TDS) to filter victims based on factors such as location, device type, and OS, making detection increasingly difficult for both users and security professionals.
Two distinct cybercriminal groups are behind the latest surge in FakeUpdate attacks. TA2726 acts as a traffic distributor, redirecting victims to malicious websites. Active since at least September 2022, TA2726 frequently utilizes the Keitaro TDS to manage its traffic and collaborate with other threat actors.
In contrast, TA2727, a financially motivated group identified in early 2025, is responsible for distributing the actual malware. Their payloads include Lumma Stealer for Windows, Marcher for Android, and FrigidStealer for macOS. The group's swift adaptation of malicious tools highlights the growing sophistication of these campaigns.
The newly discovered FrigidStealer malware targets macOS users, marking a significant evolution in the FakeUpdate landscape. Built on the WailsIO framework using the Go programming language, FrigidStealer is designed to blend seamlessly into the system. Once activated, it extracts sensitive data, including saved passwords and cookies from browsers like Safari and Chrome.
FrigidStealer doesn't stop at browser credentials. It also searches for crypto wallet information stored on the Mac's Desktop and Documents folders, collects sensitive Apple Notes, and scans the user's home directory for documents, spreadsheets, and other personal files. This exfiltrated data is compressed and transferred to the attacker's command-and-control server at "askforupdate[.]org."
The malware's ability to steal both personal and financial information makes it a severe threat to both individual users and businesses alike, contributing to a rising number of data breaches and identity theft cases.
Though the primary focus of the current campaign is macOS, the use of Lumma Stealer and Marcher in Windows and Android environments broadens the attack's scope. Windows users are tricked into downloading an MSI installer that deploys Lumma Stealer or DeerStealer, while Android devices receive an APK that installs the Marcher banking trojan, a malware designed to steal sensitive financial data.
To protect against these attacks, users should never download files or execute commands prompted by pop-ups or suspicious websites, especially those claiming to be browser updates, captchas, or fixes for common issues. In particular, avoid downloading any files from compromised sites that pretend to offer software updates.
For those already infected with infostealers like FrigidStealer, it’s crucial to change passwords for all online accounts, particularly if the same password is used across multiple sites. Two-factor authentication (2FA) should be enabled wherever possible to add an additional layer of security.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation