The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

FrigidStealer MacOS Stealer

Feb 21, 2025 1:48:14 PM / by The Hivemind

FRIGIDSTEALE

Executive Summary

FrigidStealer is a stealer that targets MacOS devices. It has been active since at least late 2024 and is delivered via web injection campaigns.

Key Takeaways

  • FrigidStealer is a stealer that targets MacOS devices. 
  • FrigidStealer has been active since at least late 2024 and is delivered via web injection campaigns.
  • At least two threat actor groups, TA2727 and TA2726 are involved in the distribution of FrigidStealer. 
  • It is capable of stealing information from multiple sources including web browsers, Apple Notes, and cryptocurrency related apps. 
  • PolySwarm analysts consider FrigidStealer to be an emerging threat. 

What is FrigidStealer?

FrigidStealer is a stealer that targets MacOS devices. It has been active since at least late 2024 and is delivered via web injection campaigns. The activity has primarily targeted users in France and the UK. Proofpoint recently reported on FrigidStealer. 

FrigidStealer is written in Go. It uses AppleScript to attempt to trick the victim into entering their system password. It is capable of stealing information from multiple sources including web browsers, Apple Notes, and cryptocurrency related apps. PolySwarm analysts consider FrigidStealer to be an emerging threat. 

Distribution Method

Proofpoint has observed multiple threat actors using malicious website injects to deliver malware. The delivery method, which was used in the recent campaign to deliver FrigidStealer, works as follows:

  • Malicious injects served: The malicious injects are served to visitors to a website. Malicious JavaScript scripts are often used.
  • Traffic Distribution Service (TDS): A traffic distribution service determines which user gets a particular payload, based on a variety of parameters established by the threat actors.
  • Payload delivery: A malicious payload is downloaded by the script on the victim's machine. 

Threat Actors Involved

It is possible for different parts of the attack chain to be managed by a different threat actor. In this campaign, multiple groups were involved.

 

TA2727

TA2727 is a financially motivated threat actor group that was previously undocumented. In the campaign, they distributed FrigidStealer payloads to MacOS systems, as well as Marcher banking trojan to Android devices and Lumma Stealer or DeerStealer to Windows machines. The threat actor is known to use fake update theme lures to distribute malicious payloads. In this campaign, they used fake Safari and Chrome browser updates to target potential victims. 

 

TA2726

TA2726 is a financially motivated threat actor group. They serve as a TDS operator, providing traffic distribution services for other threat actors to use. The group has been active since at least September 2022. They operate the TDS used by TA2727 in the campaign mentioned above. They also provide TDS for the threat actor group TA569, who is known to distribute SocGholish. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

E1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214

274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973

 

You can use the following CLI command to search for all associated samples in our portal:

$ polyswarm link list -f FrigidStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Stealer, Infostealer, MacOS, Emerging Threat, FrigidStealer

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More