TA2727
TA2727 is a financially motivated cybercriminal threat actor identified by Proofpoint as part of the growing web-inject and fake browser update ecosystem. The actor uses compromised legitimate websites and scam update alerts to distribute malware, and has been observed collaborating with TA2726, a malicious traffic distribution service operator that redirects victims by geography and device type. Proofpoint assessed with high confidence that TA2726 serves traffic for TA2727, including Keitaro TDS-based chains. TA2727 has been observed using fake update lures and JavaScript injects similar to SocGholish-style activity, but distributing its own payloads rather than TA569/SocGholish malware. Reported payloads attributed to TA2727 include Lumma Stealer and DeerStealer for Windows, Marcher for Android, and FrigidStealer for macOS. In observed campaigns, Windows users were prompted to download an MSI from a fake browser update page; the MSI installed a legitimate signed application together with a trojanized DLL that side-loaded DOILoader, which then executed Lumma Stealer. Android users received the same fake update lure but were delivered Marcher. macOS users outside North America were redirected to fake update pages that downloaded browser-themed DMG files delivering FrigidStealer. Proofpoint first designated TA2727 during an early January 2025 campaign that delivered different payloads based on recipient geography. In 2025, TA2726 redirected North American traffic to TA569/SocGholish and traffic from other countries to TA2727. Proofpoint also observed a late January 2025 campaign adding the macOS payload FrigidStealer. TA2727 has been described as distributing malware for Windows, Android, and macOS and as being identifiable by its use of legitimate websites to send scam update alerts. Known infrastructure mentioned in the reporting includes deski[.]fastcloudcdn[.]com, cloudfasterapp[.]com, and fastcloudcdn[.]com. TA2727 is also linked in reporting to FrigidStealer delivery chains such as TA2726 -> TA2727 ClickFix -> FrigidStealer. The reporting characterizes TA2727 as a copycat actor in the broader fake-update/web-inject ecosystem that emerged alongside other clusters beginning in 2023. No additional aliases or nation-state attribution are provided in the source content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat cluster using TA2726 traffic to deliver payloads to macOS users, including FrigidStealer.
A copycat threat actor using fake-update style JavaScript injects and lures to distribute information-stealing malware.
Uses TA2726-delivered traffic in ClickFix-style attack chains targeting MacOS users and delivering FrigidStealer.
Threat actor distributing fake browser update lures to deliver information stealers across platforms (macOS/Windows/Android).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.