Security researchers at Malwarebytes have uncovered a new macOS infostealer called Infinity Stealer that combines the ClickFix social engineering technique with a Python payload compiled using the open-source Nuitka compiler — a first for documented macOS malware campaigns.

Why Nuitka Matters

Unlike PyInstaller, which bundles Python with bytecode that analysts can often extract and decompile, Nuitka compiles Python scripts into native C code, producing a true native binary. This makes the malware significantly harder to analyze through static reverse engineering and helps it evade detection.

The resulting 8.6 MB Mach-O binary contains a 35MB zstd-compressed archive housing the final payload: Infinity Stealer.

Attack Chain: From Fake CAPTCHA to Full Compromise

The attack begins with a ClickFix lure hosted on update-check[.]com:

  1. Fake CAPTCHA: Victims encounter a fake Cloudflare human verification challenge
  2. Malicious Command: Users are instructed to paste a base64-obfuscated curl command into macOS Terminal
  3. Stage 2 Loader: The command decodes a Bash script that writes the Nuitka loader to /tmp, removes the quarantine flag, and executes it
  4. Payload Delivery: The loader deploys Infinity Stealer (UpdateHelper.bin) with C2 connection details passed via environment variables

Data Harvesting Capabilities

After performing anti-VM/sandbox checks, Infinity Stealer targets:

  • Credentials from Chromium-based browsers and Firefox
  • macOS Keychain entries
  • Cryptocurrency wallets
  • Plaintext secrets in developer files (e.g., .env)
  • Screenshots

All stolen data is exfiltrated via HTTP POST to the C2 server, with a Telegram notification sent to the threat actors upon completion.

Defensive Recommendations

  • Never paste Terminal commands from websites — This is the core ClickFix vector
  • Verify CAPTCHAs carefully — Legitimate Cloudflare challenges never require Terminal commands
  • Enable macOS Gatekeeper — Helps prevent execution of unsigned code
  • Monitor for suspicious /tmp activity — Malware often stages payloads here
  • Use credential managers with MFA — Reduces impact if browser credentials are stolen

Source

For the full technical analysis including indicators of compromise, see: Malwarebytes Threat Intelligence

Additional coverage: BleepingComputer