A sophisticated new info-stealing malware named Infinity Stealer is targeting macOS systems using an innovative attack chain that combines ClickFix social engineering with Python payloads compiled using the open-source Nuitka compiler.
Attack Overview
According to Malwarebytes researchers, this marks the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
The attack leverages the ClickFix technique, presenting a fake CAPTCHA that mimics Cloudflare’s human verification check. Victims are tricked into executing malicious commands by pasting a base64-obfuscated curl command directly into the macOS Terminal, effectively bypassing OS-level security defenses.
Why Nuitka Makes Detection Harder
Unlike PyInstaller, which bundles Python with bytecode that can be decompiled, Nuitka compiles Python scripts into C code, producing native binaries. This approach:
- Eliminates obvious bytecode layers
- Makes static analysis significantly more difficult
- Increases resistance to reverse engineering
- Results in a real native binary that evades common detection methods
Technical Attack Chain
The infection begins on the malicious domain update-check[.]com, where victims encounter what appears to be a Cloudflare verification step. The multi-stage attack proceeds as follows:
- Stage 1: ClickFix lure delivers a base64-encoded curl command
- Stage 2: Bash script writes the Nuitka loader (8.6 MB Mach-O binary) to /tmp
- Stage 3: Quarantine flag is removed and the loader executes via nohup
- Stage 4: Loader extracts a 35MB zstd-compressed archive containing Infinity Stealer
Data Theft Capabilities
Before executing its data collection routines, the malware performs anti-analysis checks to detect virtualized or sandboxed environments. Once verified as running on a real system, Infinity Stealer harvests:
- Browser credentials from Chromium-based browsers and Firefox
- macOS Keychain entries containing saved passwords and certificates
- Cryptocurrency wallet data
- Developer secrets from plaintext files like .env configurations
- Screenshots capturing current user activity
Exfiltration and Command-and-Control
All stolen data is exfiltrated via HTTP POST requests to the command-and-control (C2) server. The threat actors receive Telegram notifications upon successful completion of data theft operations, enabling rapid monetization of stolen credentials.
Defensive Recommendations
This campaign demonstrates the increasing sophistication of macOS-targeted threats. Security teams should:
- Train users to never paste Terminal commands from unfamiliar sources
- Monitor for suspicious processes executing from /tmp directories
- Implement endpoint detection capable of identifying Nuitka-compiled binaries
- Block known malicious domains at the network level
- Watch for unusual HTTP POST traffic patterns indicating data exfiltration
The emergence of malware like Infinity Stealer confirms that threats to macOS users continue to evolve, combining advanced evasion techniques with proven social engineering tactics.
Source: Malwarebytes
