A sophisticated new information-stealing malware named Infinity Stealer has emerged targeting macOS systems, combining the increasingly popular ClickFix social engineering technique with advanced evasion capabilities through Nuitka compilation.
According to Malwarebytes research, this represents the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka—a technique that produces native binaries far more resistant to analysis than traditional PyInstaller packages.
How the Attack Works
The attack chain begins with a fake Cloudflare human verification page hosted on update-check[.]com. Victims are tricked into pasting a base64-obfuscated curl command directly into macOS Terminal—a hallmark of the ClickFix technique that bypasses traditional OS-level security controls.
Once executed, the command:
- Decodes a Bash script that writes the Nuitka loader to
/tmp - Removes the quarantine flag to bypass Gatekeeper
- Executes the payload via
nohup - Passes C2 and authentication tokens via environment variables
- Deletes itself and closes the Terminal window
Why Nuitka Matters
The use of Nuitka compilation represents a significant evolution in macOS malware. Unlike PyInstaller, which bundles Python with bytecode that analysts can often decompile, Nuitka compiles Python scripts into C code and produces genuine native Mach-O binaries.
The resulting 8.6 MB binary contains a 35MB zstd-compressed archive with the final Infinity Stealer payload—making static analysis and signature-based detection considerably more difficult.
Data Theft Capabilities
The malware performs anti-analysis checks before harvesting:
- Browser credentials from Chromium-based browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallets
- Developer secrets from
.envfiles and similar plaintext configurations - Screenshots of the victim’s desktop
Stolen data is exfiltrated via HTTP POST requests to command-and-control infrastructure, with Telegram notifications alerting threat actors upon successful data theft.
Key Takeaways for Defenders
- User awareness is critical: Never paste commands from websites into Terminal without understanding them fully
- Monitor Terminal execution: ClickFix attacks rely on user interaction—behavioral monitoring can help detect suspicious Terminal activity
- Watch for quarantine bypass:
xattr -d com.apple.quarantinecommands are a red flag - macOS is not immune: The sophistication of Infinity Stealer proves that Apple systems face advanced, targeted threats
