FrigidStealer Stealer
Cybersecurity researchers have uncovered a new campaign deploying Web injects to distribute a previously unidentified macOS threat known as FrigidStealer. The campaign has been associated with a threat actor dubbed TA2727, who has also been associated with information-stealing threats targeting Windows (Lumma Stealer, DeerStealer) and Android (Marcher).
Table of Contents
TA2727 and Its Role in the Threat Landscape
TA2727 is known for using fake update lures to distribute various malicious payloads. It is one of the newly identified threat clusters alongside TA2726, an actor assessed to operate a malicious traffic distribution system (TDS). This system enables the spread of malware by directing compromised web traffic to threat actors such as TA2727 and TA569.
The Relationship Between TA2726 and Other Threat Actors
TA2726 plays a key role in malware distribution by acting as a TDS for both TA2727 and TA569. The latter is notorious for deploying SocGholish (also known as FakeUpdates), a JavaScript-based loader masquerading as a browser update on compromised websites. Since at least September 2022, TA2726 has facilitated traffic redirection for these financially motivated threat actors, making it an essential player in the cyber threat landscape.
Fake Updates and Geo-Targeted Payloads
Both TA2727 and TA569 distribute their threats through websites injected with corrupted JavaScript. These compromised sites trick users into downloading fake browser updates for Google Chrome or Microsoft Edge. However, TA2727 employs a more tailored approach, delivering specific malware based on the recipient's location and device type.
For instance, if a Windows user in France or the U.K. visits an infected website, they may be prompted to download an MSI installer file that launches Hijack Loader (DOILoader), which then delivers Lumma Stealer. Similarly, Android users redirected through the same scheme may unknowingly download Marcher, a notorious banking Trojan that has been active for over a decade.
Expanding the Attack to macOS Users
As of January 2025, TA2727 has expanded its campaign to target macOS users residing outside North America. These users are redirected to fraudulent update pages that trigger the download of FrigidStealer, a newly identified information stealer.
To bypass Apple's Gatekeeper security feature, the FrigidStealer installer requires users to launch the unsigned application manually. Once executed, the embedded Mach-O executable installs the threat, marking a significant escalation in macOS-targeted cybercrime.
How FrigidStealer Operates
FrigidStealer is built using the Go programming language and features ad-hoc signing. Notably, it utilizes the WailsIO project, which enables rendering content within the user's browser. This tactic enhances the illusion that the malicious installer is legitimate, increasing the likelihood of successful infection.
Once executed, FrigidStealer uses AppleScript to request the user's system password, granting it elevated privileges. With this access, the threat can harvest files, sensitive browser data, Apple Notes, and cryptocurrency-related information, posing a significant risk to affected users.
The Bigger Picture: Web-Based Malware Campaigns
The use of compromised websites as malware delivery mechanisms highlights an ongoing trend in cyber threats. Attackers are customizing payloads based on the target's operating system and geographic location, ensuring maximum impact. Although macOS systems remain less common in enterprise environments compared to Windows, this campaign reinforces the growing need for macOS users to stay vigilant against evolving cyber threats.
