Full Report
Proofpoint also identified two new threat actors operating components of web inject campaigns, TA2726 and TA2727
Analysis Summary
# Tool/Technique: FrigidStealer
## Overview
FrigidStealer is a newly discovered information stealer explicitly targeting macOS devices. It is being distributed as part of evolving malvertising and web inject campaigns, primarily associated with threat actors originating from the TA569 ecosystem.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: macOS (Also distributed alongside malware for Windows, Android)
- Capabilities: Information stealing from macOS devices.
- First Seen: Detected in January 2025.
## MITRE ATT&CK Mapping
The primary mechanism of delivery points to initial access via external redirection/compromised websites:
- **TA0001 - Initial Access**
- **T1189 - Drive-by Compromise**
- *Related to users being redirected to malicious sites serving the payload.*
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel**
- *Implied by its nature as an information stealer.*
## Functionality
### Core Capabilities
- Targeted delivery specifically toward Mac users (outside of North America in observed campaigns).
- Delivered via fake software update lures hosted on compromised websites following web traffic redirection.
### Advanced Features
- Operates within a growing ecosystem where threat actors (TA569, TA2726, TA2727) specialize in different parts of the attack chain (e.g., traffic distribution, payload delivery).
- FrigidStealer serves as the macOS component in a multi-platform delivery scheme (Windows/Lumma Stealer, Android/Marcher).
## Indicators of Compromise
*Note: Specific hashes, file names, registry keys, or network indicators for FrigidStealer itself are not detailed in the provided text.*
- **File Hashes:** [Not specified in the article]
- **File Names:** [Not specified in the article]
- **Registry Keys:** [Not specified for macOS]
- **Network Indicators:** Traffic redirection services (TDS) operated by TA2726 linked to TA569 and TA2727 infrastructure.
- **Behavioral Indicators:** Execution following the clicking of a "Update" button on a fake software update page leading to the installation of the stealer.
## Associated Threat Actors
- **TA2727:** The group primarily observed delivering FrigidStealer to non-North American Mac targets.
- **TA569 (Mustard Tempest Gold Prelude, Purple Vallhund):** The progenitor group, originally known for FakeUpdates/SocGholish, whose techniques are being leveraged or copied. Associated with EvilCorp.
- **TA2726:** Assessed to act as a Traffic Distribution Service (TDS) provider for TA569 and TA2727.
## Detection Methods
*Note: Specific details on detection signatures are not provided, but detection principles can be inferred.*
- **Signature-based detection:** Signatures for the FrigidStealer binary once analyzed.
- **Behavioral detection:** Detection focused on the post-redirection sequence: browsing leading to a fake update page, download of unexpected files (likely ZIP/DMG), and subsequent execution attempts targeting macOS security controls.
- **YARA rules:** [Not specified in the article]
## Mitigation Strategies
- **Prevention measures:** User education against clicking on software update prompts encountered during general browsing, especially if redirected from unrelated content.
- **Hardening recommendations:** Ensuring macOS software is updated via official channels (App Store or vendor official websites) rather than relying on prompts from non-verified browser sessions. Restricting the execution of downloaded files where possible.
## Related Tools/Techniques
- **FakeUpdates/SocGholish:** The JavaScript framework/loader historically used by TA569 for Windows and web inject campaigns.
- **Lumma Stealer:** Observed malware delivered by TA2727 on Windows platforms in the same campaigns.
- **Cobalt Strike:** Frequently deployed as a secondary payload following the initial loading stage of TA569-related campaigns.
- **Marcher:** Observed malware delivered by TA2727 on Android platforms.
- **Web Inject Campaigns:** The distribution methodology involving redirecting traffic to deliver specific payloads based on geography.