Infinity Stealer: New macOS Malware Uses ClickFix Lures and Nuitka-Compiled Python Payload

acint3 weeks ago02 mins

Security researchers at Malwarebytes have uncovered a new macOS infostealer called Infinity Stealer that combines the ClickFix social engineering technique with a Python payload compiled using the open-source Nuitka compiler — a first for documented macOS malware campaigns.

Why Nuitka Matters

Unlike PyInstaller, which bundles Python with bytecode that analysts can often extract and decompile, Nuitka compiles Python scripts into native C code, producing a true native binary. This makes the malware significantly harder to analyze through static reverse engineering and helps it evade detection.

The resulting 8.6 MB Mach-O binary contains a 35MB zstd-compressed archive housing the final payload: Infinity Stealer.

Attack Chain: From Fake CAPTCHA to Full Compromise

The attack begins with a ClickFix lure hosted on update-check[.]com:

Fake CAPTCHA: Victims encounter a fake Cloudflare human verification challenge
Malicious Command: Users are instructed to paste a base64-obfuscated curl command into macOS Terminal
Stage 2 Loader: The command decodes a Bash script that writes the Nuitka loader to /tmp, removes the quarantine flag, and executes it
Payload Delivery: The loader deploys Infinity Stealer (UpdateHelper.bin) with C2 connection details passed via environment variables

Data Harvesting Capabilities

After performing anti-VM/sandbox checks, Infinity Stealer targets:

Credentials from Chromium-based browsers and Firefox
macOS Keychain entries
Cryptocurrency wallets
Plaintext secrets in developer files (e.g., .env)
Screenshots

All stolen data is exfiltrated via HTTP POST to the C2 server, with a Telegram notification sent to the threat actors upon completion.

Defensive Recommendations

Never paste Terminal commands from websites — This is the core ClickFix vector
Verify CAPTCHAs carefully — Legitimate Cloudflare challenges never require Terminal commands
Enable macOS Gatekeeper — Helps prevent execution of unsigned code
Monitor for suspicious /tmp activity — Malware often stages payloads here
Use credential managers with MFA — Reduces impact if browser credentials are stolen

Source

For the full technical analysis including indicators of compromise, see: Malwarebytes Threat Intelligence

Additional coverage: BleepingComputer

Related News

Name	Size	Date
AsyncRAT-loader-URL-Check.txt AsyncRAT loader URL Check.txt text/plainAsyncRAT loader URL Check.txt Open Download Copy Link 2.46 KB 2024-01-12 January 12, 2024 2024-01-07 January 7, 2024	2.46 KB	January 7, 2024
AsyncRAT-loader-hashes.txt AsyncRAT loader hashes.txt text/plainAsyncRAT loader hashes.txt Open Download Copy Link 662 B 2024-01-12 January 12, 2024 2024-01-07 January 7, 2024	662 B	January 7, 2024
Hackers-Modifying-Registry-Keys-to-Establish-Persistence-via-Scheduled-Tasks.txt Hackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks.txt text/plainHackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks.txt Open Download Copy Link 945 B 2024-01-12 January 12, 2024 2024-01-06 January 6, 2024	945 B	January 6, 2024
Hackers-target-Apache-RocketMQ-servers-vulnerable-to-RCE-attack.txt Hackers target Apache RocketMQ servers vulnerable to RCE attack.txt text/plainHackers target Apache RocketMQ servers vulnerable to RCE attack.txt Open Download Copy Link 77 B 2024-01-12 January 12, 2024 2024-01-05 January 5, 2024	77 B	January 5, 2024
IOC-and-TTPs-Backdoor_Win32-Carbanak-Anunak-Named-Pipe-Null-DACL.txt IOC and TTPs Backdoor.Win32 Carbanak (Anunak) - Named Pipe Null DACL.txt text/plainIOC and TTPs Backdoor.Win32 Carbanak (Anunak) - Named Pipe Null DACL.txt Open Download Copy Link 5.02 KB 2024-01-12 January 12, 2024 2024-01-11 January 11, 2024	5.02 KB	January 11, 2024
IOCs-Chapter-84-In-depth-analysis-and-technical-analysis-of-LockBit-the-top-encryption-ransomware-organization-Part-1.txt IOCs Chapter 84 In-depth analysis and technical analysis of LockBit the top encryption ransomware organization Part 1.txt text/plainIOCs Chapter 84 In-depth analysis and technical analysis of LockBit the top encryption ransomware organization Part 1.txt Open Download Copy Link 236 B 2024-01-12 January 12, 2024 2024-01-07 January 7, 2024	236 B	January 7, 2024
IOCs-and-TTPs-Financially-motivated-threat-actors-misusing-App-Installer.txt IOCs and TTPs Financially motivated threat actors misusing App Installer.txt text/plainIOCs and TTPs Financially motivated threat actors misusing App Installer.txt Open Download Copy Link 7.26 KB 2024-01-12 January 12, 2024 2024-01-09 January 9, 2024	7.26 KB	January 9, 2024
IOCs-and-TTPs_-Analysis-of-OT-cyberattacks-and-malwares.txt IOCs and TTPs_ Analysis of OT cyberattacks and malwares.txt text/plainIOCs and TTPs_ Analysis of OT cyberattacks and malwares.txt Open Download Copy Link 8.82 KB 2024-01-12 January 12, 2024 2024-01-09 January 9, 2024	8.82 KB	January 9, 2024
IOCs-and-Yara-Hundreds-of-Thousands-of-Dollars-Worth-of-Solana-Cryptocurrency-Assets-Stolen-in-Recent-CLINKSINK-Drainer-Campaigns.txt IOCs and Yara Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns.txt text/plainIOCs and Yara Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns.txt Open Download Copy Link 1.38 KB 2024-01-12 January 12, 2024 2024-01-11 January 11, 2024	1.38 KB	January 11, 2024
IOCs-and-other-AsyncRat.txt IOCs and other AsyncRat.txt text/plainIOCs and other AsyncRat.txt Open Download Copy Link 1.04 KB 2024-01-12 January 12, 2024 2024-01-07 January 7, 2024	1.04 KB	January 7, 2024
IOCs-Deceptive-Cracked-Software-Spreads-Lumma-Variant-on-YouTube.txt IOCs Deceptive Cracked Software Spreads Lumma Variant on YouTube.txt text/plainIOCs Deceptive Cracked Software Spreads Lumma Variant on YouTube.txt Open Download Copy Link 1.16 KB 2024-01-12 January 12, 2024 2024-01-08 January 8, 2024	1.16 KB	January 8, 2024
IOCs-DreamBus-Unleashes-Metabase-Mayhem-With-New-Exploit-Module.txt IOCs DreamBus Unleashes Metabase Mayhem With New Exploit Module.txt text/plainIOCs DreamBus Unleashes Metabase Mayhem With New Exploit Module.txt Open Download Copy Link 1.65 KB 2024-01-12 January 12, 2024 2024-01-11 January 11, 2024	1.65 KB	January 11, 2024
IOCs-Hide-and-Seek-in-Windows-Closet-Unmasking-the-WinSxS-Hijacking-Hideout.txt IOCs Hide and Seek in Windows' Closet Unmasking the WinSxS Hijacking Hideout.txt text/plainIOCs Hide and Seek in Windows' Closet Unmasking the WinSxS Hijacking Hideout.txt Open Download Copy Link 415 B 2024-01-12 January 12, 2024 2024-01-05 January 5, 2024	415 B	January 5, 2024
IOCs-TTPs-and-yara-Opening-a-Can-of-Whoop-Ads-Detecting-and-Disrupting-a-Malvertising-Campaign-Distributing-Backdoors.txt IOCs TTPs and yara Opening a Can of Whoop Ads Detecting and Disrupting a Malvertising Campaign Distributing Backdoors.txt text/plainIOCs TTPs and yara Opening a Can of Whoop Ads Detecting and Disrupting a Malvertising Campaign Distributing Backdoors.txt Open Download Copy Link 15.56 KB 2024-01-12 January 12, 2024 2024-01-09 January 9, 2024	15.56 KB	January 9, 2024
IOCs-Tackling-Anti-Analysis-Techniques-of-GuLoader-and-RedLine-Stealer.txt IOCs Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer.txt text/plainIOCs Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer.txt Open Download Copy Link 143 B 2024-01-12 January 12, 2024 2024-01-05 January 5, 2024	143 B	January 5, 2024
Prior-to-Cyber-Attack-Russian-Attackers-Spent-Months-Inside-the-Ukraine-Telecoms-Giant.txt Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant.txt text/plainPrior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant.txt Open Download Copy Link 168 B 2024-01-12 January 12, 2024 2024-01-07 January 7, 2024	168 B	January 7, 2024
yara-rules-from-100-Days-of-Yara-and-other-infor.txt yara rules from 100 Days of Yara and other infor.txt text/plainyara rules from 100 Days of Yara and other infor.txt Open Download Copy Link 49.69 KB 2024-01-12 January 12, 2024 2024-01-05 January 5, 2024	49.69 KB	January 5, 2024
Pig-butchering-is-an-evolution-of-a-social-engineering-tactic-weve-seen-for-years.txt Pig butchering is an evolution of a social engineering tactic we’ve seen for years.txt text/plainPig butchering is an evolution of a social engineering tactic we’ve seen for years.txt Open Download Copy Link 770 B 2024-03-22 March 22, 2024 2024-03-22 March 22, 2024	770 B	March 22, 2024
IOCs-Curious-Serpens-FalseFont-Backdoor-Technical-Analysis-Detection-and-Prevention.txt IOCs Curious Serpens FalseFont Backdoor Technical Analysis Detection and Prevention.txt text/plainIOCs Curious Serpens FalseFont Backdoor Technical Analysis Detection and Prevention.txt Open Download Copy Link 501 B 2024-03-22 March 22, 2024 2024-03-22 March 22, 2024	501 B	March 22, 2024
IOCs-The-Updated-APT-Playbook-Tales-from-the-Kimsuky-threat-actor-group.txt IOCs The Updated APT Playbook Tales from the Kimsuky threat actor group.txt text/plainIOCs The Updated APT Playbook Tales from the Kimsuky threat actor group.txt Open Download Copy Link 1.44 KB 2024-03-22 March 22, 2024 2024-03-22 March 22, 2024	1.44 KB	March 22, 2024

https://bulwarkblack.com/infinity-stealer-new-macos-malware-uses-clickfix-lures-and-nuitka-compiled-python-payload?ee=1&eeFolder=IOCs_YARA_TTPs_Posted_Articles&eeListID=2 0 1

1 - 20 21 - 21

Page: 1 of 2

6291fc182b

Why Nuitka Matters

Attack Chain: From Fake CAPTCHA to Full Compromise

Data Harvesting Capabilities

Defensive Recommendations

Source

Related News

Critical Cisco IMC Authentication Bypass Enables Unauthenticated Admin Access

Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges

CrystalX RAT: New Malware-as-a-Service Combines Spyware, Stealer, and Prankware Capabilities

CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors