好的,我现在需要帮用户总结一篇关于新macOS恶意软件的文章,控制在100字以内。首先,我得通读整篇文章,抓住关键点。 文章主要讲的是Infinity Stealer,这是一个针对macOS的恶意软件。它通过伪造的Cloudflare验证码页面传播,诱导用户在终端执行命令。这个命令会下载一个Bash脚本,进而加载用Nuitka编译的Python有效载荷。 这个有效载荷会窃取浏览器凭证、Keychain条目、加密钱包信息等,并通过HTTP外发数据。它还能检测分析环境,增加随机延迟以逃避检测。最后,它会通过Telegram通知操作者,并将凭证排队进行服务器端破解。 总结时,我需要涵盖传播方式、技术手段、窃取的数据类型以及防护建议。同时,要确保语言简洁明了,不超过100字。 现在开始组织语言:Infinity Stealer通过伪造Cloudflare验证码诱导用户执行终端命令,下载Bash脚本和Nuitka编译的有效载荷。该载荷窃取多种数据并通过HTTP外传。建议用户避免执行可疑命令,并使用杀毒软件扫描。 </think> 新macOS恶意软件Infinity Stealer通过伪造Cloudflare验证码诱骗用户执行终端命令,下载Bash脚本并运行Nuitka编译的有效载荷,窃取浏览器凭证、Keychain数据等信息并通过HTTP外传。建议避免执行可疑命令并使用杀毒软件扫描设备。 2026-3-30 07:49:36 Author: securityaffairs.com(查看原文) 阅读量:5 收藏
New macOS Infinity Stealer uses Nuitka Python payload and ClickFix
Infinity Stealer targets macOS via fake Cloudflare CAPTCHA, using Nuitka; first such campaign per Malwarebytes.
Researchers at Malwarebytes spotted a new macOS infostealer, named Infinity Stealer, using a Python payload compiled with Nuitka. It spreads via ClickFix, tricking users with fake Cloudflare CAPTCHA pages.
“A fake verification page instructs the visitor to open Terminal, paste a command, and press Return. Once executed, the infection process begins immediately.” reads the report published by MalwareBytes. “The technique gained popularity on Windows systems, but it’s now being adapted for macOS, with the instructions tailored to the platform: Command + Space > open Terminal > paste the command”
The fake Cloudflare CAPTCHA tricks users into pasting a Terminal command that fetches a Stage-1 Bash dropper.
“The first payload is a Bash script using a template previously observed in macOS stealers such as MacSync (also referenced as SHub in earlier research).” continues the report. “This suggests the use of a shared builder.”
The dropper decodes the payload, writes the Stage‑2 binary, removes macOS protections, executes it, passes C2 data, and then deletes itself. Stage‑2 is a native macOS loader compiled with Nuitka that unpacks and runs the final Python stealer.
The final payload, UpdateHelper[.]bin, is a Python 3.11 stealer that collects browser credentials, Keychain entries, crypto wallets, .env files, and screenshots, exfiltrating data via HTTP. It detects analysis environments and adds random delays to evade detection. Once exfiltration finishes, it notifies the operator via Telegram and queues credentials for server-side cracking.
Infiniti Stealer shows macOS is no longer low‑risk, adapting Windows‑style ClickFix and using Nuitka to evade detection. If you ran suspicious Terminal commands, stop sensitive activity, change passwords from a clean device, revoke sessions and keys, and check /tmp and LaunchAgents. Experts recommend running a full scan with antimalware software. Never paste commands from websites, because no real CAPTCHA requires it.
The report includes Indicators of Compromise (IOCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
如有侵权请联系:admin#unsafe.sh