New Infinity Stealer malware grabs macOS data via ClickFix lures

New Infinity Stealer malware grabs macOS data via ClickFix lures By Bill Toulas March 28, 2026 10:35 AM 0 A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler. The attack uses the ClickFix technique, presenting a fake CAPTCHA that mimics Cloudflare’s human verification check to trick users into executing malicious code. Researchers at Malwarebytes say this is the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka. Because Nuitka produces a native binary by compiling the Python script into C code, the resulting executable is more resistant to static analysis. Compared to PyInstaller, which bundles Python with bytecode, it’s more evasive because it produces a real native binary with no obvious bytecode layer, making reverse engineering much harder. “The final payload is written in Python and compiled with Nuitka, producing a native macOS binary. That makes it harder to analyze and detect than typical Python-based malware,” Malwarebystes says. Attack chain The attack begins with a ClickFix lure on the domain update-check[.]com, posing as a human verification step from Cloudflare and asking the user to complete the challenge by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses. ClickFix step used in Infinity attacks Source: Malwarebytes The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it via ‘nohup.’ Finally, it passes the command-and-control (C2) and token via environment variables and then deletes itself and closes the Terminal window. The Nuitka loader is an 8.6 MB Mach-O binary that contains a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware. The malware's disassembly view Source: Malwarebytes Before starting to collect sensitive data, the malware performs anti-analysis checks to determine whether it is running in a virtualized/sandboxed environment. Malwarebytes’ analysis of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the following data: Credentials from Chromium‑based browsers and Firefox macOS Keychain entries Cryptocurrency wallets Plaintext secrets in developer files, such as .env All stolen data is exfiltrated via HTTP POST requests to the C2, and a Telegram notification is sent to the threat actors upon completion of the operation. Malwarebytes underlines that the appearance of malware like Infinity Stealer is proof that threats to macOS users are only getting more advanced and targeted. Users should never paste into Terminal commands they find online and don’t fully understand. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: New GlassWorm attack targets macOS via compromised OpenVSX extensions Suspected RedLine infostealer malware admin extradited to US New Torg Grabber infostealer malware targets 728 crypto wallets Fake enterprise VPN sites used to steal company credentials Fake Claude Code install guides push infostealers in InstallFix attacks