MalwareUsed by 2 actors

FrigidStealer

FrigidStealer is a macOS information-stealing malware family identified by Proofpoint in web-inject campaigns that use fake browser update lures on compromised legitimate websites. It has been associated with TA2727, with TA2726 acting as a traffic distribution service in observed delivery chains. Proofpoint observed a macOS chain in which TA2726 redirected victims to TA2727, which then delivered FrigidStealer via fake update pages; one reported chain was summarized as TA2726 -> TA2727 ClickFix -> FrigidStealer. Campaign reporting states macOS users outside North America were redirected to browser-themed DMG files, and the installer used right-click-and-open instructions to bypass Gatekeeper protections. FrigidStealer has also been described as spreading through fake software downloads and fake browser update alerts disguised as Safari or Chrome updates.

Technically, FrigidStealer has been reported as a Go-based Mach-O binary, ad-hoc signed, and built with the WailsIO project. It uses AppleScript and osascript to prompt the user for their password. Reported theft targets include Safari and Chrome credentials, browser cookies, stored passwords, session cookies, cryptocurrency wallet data and cryptocurrency-related files, password-related files from Desktop and Documents, Apple Notes, and in some reporting, additional system files. One source states it exfiltrates stolen data using DNS queries routed via macOS mDNSResponder, then terminates itself after exfiltration and may delete traces post-execution. Reported infrastructure includes the command-and-control domain askforupdate[.]org. Additional reporting describes a malicious app bundle ID of com.wails.ddaolimaki-daunito.

FrigidStealer is consistently described as targeting macOS users. Reporting links it to fake update activity affecting users across North America, Europe, and Asia, and one source says the broader campaign impacted public-facing industries, particularly retail and hospitality. Separate ecosystem reporting notes FrigidStealer as a macOS payload delivered alongside other TA2727 malware families, while another source identifies it as a variant using leaked Banshee Stealer source code. High-confidence indicators and artifacts directly mentioned in the content include askforupdate[.]org and bundle ID com.wails.ddaolimaki-daunito.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA2727

Its traffic currently also serves TA2727, which delivers different payloads to MacOS users, including FrigidStealer.

via security affairssecurityaffairs.com

TA2726

USA (MacOS): TA2726  TA2727 ClickFix  FrigidStealer

via proofpointproofpoint.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence2

TA569 can be considered the “grandfather” of a threat type that compromises websites and uses traffic direction systems (TDS) to redirect visitors to malware.

Execution

3 techniques

T1059.002AppleScriptEvidence1

Upon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.

T1204User ExecutionEvidence3

SocGholish web injects impersonate browser security updates to trick users into downloading malware... Clicking it sends a ”postMessage” to a separate hidden iframe... and triggers the download.

T1204.002Malicious FileEvidence1

If a Mac user outside of North America visited the compromised website from a web browser, they were redirected to a fake update page that, if the Update button was clicked, downloaded and installed an information stealer.

Persistence

1 technique

T1205Traffic SignalingEvidence2

Typically, a TA569 attack chain consists of three parts: the malicious SocGholish injects served to website visitors; a traffic distribution service (TDS) responsible for determining which user receives which payload based on a variety of filtering options...

Stealth

2 techniques

T1036MasqueradingEvidence1

The MSI installed and executed the legitimate and signed application “Rene.E Facebook Widget”. However, one of the bundled DLLs was trojanized with DOILoader, which was side loaded upon execution.

T1205Traffic SignalingEvidence2

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

Upon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies...

T1555.003Credentials from Web BrowsersEvidence1

“Once installed, the malware extracts browser cookies, stored passwords…”

Discovery

1 technique

T1082System Information DiscoveryEvidence1

The actor used filtering to determine what browser the recipient used and downloaded the payload that aligned with their browser.

Collection

1 technique

T1005Data from Local SystemEvidence2

Command and Control

1 technique

T1205Traffic SignalingEvidence2

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

That data is added to folders in the user’s home directory and then exfiltrated to C2, askforupdate[.]org.

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 year ago

hash.sha256●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

security affairsNews

Jun 19, 2026

14,971 WordPress Sites Cleaned in Global SocGholish Takedown

An information-stealing malware delivered to macOS users via related traffic distribution infrastructure.

proofpointNews

Jun 17, 2026

Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation | Proofpoint US

FrigidStealer is a stealer payload observed in a MacOS attack chain delivered via TA2726 and TA2727 using ClickFix.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

macOS information stealer delivered via fake browser update lures; attributed to TA2727.

emsisoftNews

Nov 20, 2025

Mac Specific Threats and Analysis

macOS infostealer focused on browser credentials and session cookie theft, commonly distributed via fake software downloads.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.