Cybersecurity researchers have uncovered a new malware campaign orchestrated by threat actor TA2727, introducing FrigidStealer, a sophisticated information stealer targeting macOS users. The campaign, active since September 2022, employs web injects to deliver various malware across multiple platforms.

The attack infrastructure involves TA2726, a traffic distribution system operator, working alongside TA2727 and TA569 to compromise legitimate websites. The campaign uses fake browser update prompts to distribute different malware based on geography and device type:

– Windows users in France and UK receive Lumma Stealer via Hijack Loader
– Android users are targeted with the Marcher banking trojan
– MacOS users outside North America are served FrigidStealer

FrigidStealer, the latest addition to this campaign, requires users to bypass Gatekeeper protections by launching an unsigned app. Built using WailsIO, the malware masquerades as a legitimate browser installer. Once executed, it:

– Uses AppleScript to obtain system privileges
– Harvests sensitive data from browsers
– Targets Apple Notes and cryptocurrency applications
– Collects various system files

The discovery coincides with the emergence of other Mac-targeted threats, including Tiny FUD backdoor and new information stealers like Astral Stealer and Flesh Stealer, indicating an increasing focus on macOS systems by cybercriminals.