Skip to main content
Mallory
Back to threat actors
5 malware families

TA2727

Also known asta2727

TA2727 is a previously undocumented threat actor identified in reporting on fake browser update campaigns. It is linked to the distribution of FrigidStealer and other malware for Windows and Android, and is known for using legitimate compromised websites to present scam browser update alerts as an attack vector. Reporting states that TA2727 used these fake update lures to deploy information-stealing malware to macOS devices outside the United States in late January 2025. TA2727 has been linked to FrigidStealer activity affecting users across North America, Europe, and Asia. In the reported ecosystem, TA2726 is assessed to function as a traffic provider or traffic distribution service for TA2727, including by compromising websites and injecting Keitaro TDS links for resale. TA2727 is associated with fake update-driven malware delivery rather than exploitation of software vulnerabilities.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
1 technique
T1204
User Execution
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0009
Collection
1 technique
T1005
Data from Local System
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
FrigidStealer“FrigidStealer malware targets macOS users via fake browser updates, stealing passwords, crypto wallets, and notes using DNS-based data theft methods.”4Mar 18, 2026
Lumma StealerFor TA2727, payloads are tailored... Windows typically receives DoiLoader and LummaStealer...2Mar 18, 2026
Marcher...Android devices are redirected to a download page for the Marcher Banking Trojan.2Mar 18, 2026
DeerStealer... information stealers for other platforms such as Windows (Lumma Stealer or DeerStealer)1Mar 8, 2026
DoiLoaderFor TA2727, payloads are tailored... Windows typically receives DoiLoader and LummaStealer...1Mar 18, 2026
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Threat actor distributing fake browser update lures to deliver information stealers across platforms (macOS/Windows/Android).

Read more
the hacker newsNews
Aug 7, 2025
SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others

Referenced as an activity cluster that receives traffic/redirection support from TA2726 (via compromised sites and Keitaro TDS link injection).

Read more
silentpush blogNews
Aug 6, 2025
Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Downstream actor receiving traffic from TA2726; delivers OS-tailored payloads (Windows: DoiLoader/LummaStealer; macOS: FrigidStealer; Android: Marcher).

Read more
hackreadNews
May 15, 2025
FrigidStealer Malware Hits macOS Users via Fake Safari Browser Updates

Linked to FrigidStealer activity; associated with campaigns leveraging fake browser update prompts to deliver macOS malware.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.