“Upon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created,” Proofpoint researchers added.
The campaign also accommodates Windows and Android attacks with targeted payloads. TA2726, which acts as a traffic distribution system (TDS) in the attack chain, redirects users to malware based on location and device type. The group enables malware distributors like TA569 and TA727 to deliver malware by compromising websites and inserting rogue JavaScript into web pages serving as fake updates.
For instance, in the attacks seen by Proofpoint, TDS redirected North American visitors to SocGholish malware, while other regions received TA2727 payloads like Lumma Stealer (Windows), DeerStealer (Windows), FrigidStealer (Mac), and Marcher (Android).
