Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs
The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer.
AI-Generated Summary
A new ClickFix campaign targets macOS users through a fake Cloudflare CAPTCHA verification page that tricks victims into executing malicious Terminal commands. The attack chain delivers a Python-based information stealer called Infiniti Stealer, which harvests browser credentials, Keychain data, cryptocurrency wallets, and developer secrets, then exfiltrates data via HTTP POST to a C2 server with Telegram notifications. The malware uses advanced evasion techniques including Nuitka-compiled Python binaries, randomized execution delays, and sandbox detection to evade analysis.
Affected Sectors
Frameworks
Aggregated from SecurityWeek
This article was automatically aggregated from an external source. Content may be summarized.
Full Analysis
macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports.
The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal.
Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices and has been widely used in attacks since August 2024, mainly against Windows users.
For more than half a year, however, attacks tailored for macOS have become increasingly convincing, and the variant observed by Malwarebytes is no different.
The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution.
Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.
Advertisement. Scroll to continue reading.
The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal.
The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult.
At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware.
The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution.
The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server.
For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment.
“Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes.
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: MacSync macOS Malware Distributed via Signed Swift Application
Originally published by SecurityWeek
Original Source
SecurityWeek