TA2727 / Web Inject Distributor (also known as TA2727) is a state-sponsored advanced persistent threat group attributed to eCrime, active since 2024. The group primarily targets users via compromised websites, multi-platform sectors.
Overview & Attribution
Threat actor distributing platform-specific payloads via web injects and fake browser updates, delivering FrigidStealer on macOS, Marcher on Android, and Lumma on Windows.
TA2727 has been active since 2024, attributed to eCrime. The group is known for targeting users via compromised websites, multi-platform using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: eCrime
- Active since: 2024
- Primary targets: users via compromised websites, multi-platform
- Also known as: TA2727
Arsenal & Tools
TA2727 employs a diverse arsenal of custom and shared tooling:
- FrigidStealer (macOS): Custom/shared tooling used in operations
- Marcher (Android): Custom/shared tooling used in operations
- Lumma (Windows): Custom/shared tooling used in operations
Targeting & Operations
The group focuses on users via compromised websites, multi-platform sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
TA2727 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1189 Drive-by Compromise | Fake browser update pages |
| Execution | T1204.002 Malicious File | User installs fake update |
| Defense Evasion | T1036 Masquerading | Mimics browser update UI |
| Credential Access | T1555.003 Browser Credentials | FrigidStealer credential theft |
| Collection | T1005 Data from Local System | Multi-platform data theft |
| C2 | T1071.001 Web Protocols | HTTPS C2 |
Notable Campaigns
TA2727 has been linked to multiple significant campaigns targeting users via compromised websites, multi-platform organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known TA2727 IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with FrigidStealer (macOS) and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known TA2727 TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against TA2727
Mjolnir Security provides specialized capabilities to detect and respond to TA2727 operations.
- APT Threat Hunting Proactive hunting for TA2727 TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of TA2727 campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts