A new macOS malware that was undocumented previously, is quietly tricking users through fake Cloudflare human verification pages.

Called Infiniti Stealer, this threat uses a well-known social engineering trick called ClickFix to convince Mac users into running dangerous commands directly on their own machines, bypassing the need for any software vulnerability or exploit.

For a long time, many Mac users have believed their systems are naturally resistant to malware. Infiniti Stealer challenges that assumption directly. The malware was originally tracked under the internal name NukeChain during routine threat hunting.

Just before its public disclosure, the threat actor’s operator control panel accidentally became visible online, revealing the malware’s true name and confirming that this is a structured, ongoing campaign aimed directly at macOS users.

Malwarebytes analysts identified Infiniti Stealer as the first documented macOS campaign to combine ClickFix delivery with a Nuitka-compiled Python stealer.

The attack begins at a malicious domain, update-check[.]com, which hosts a near-perfect replica of a Cloudflare human verification page.

Visitors on the fake page are instructed to open Terminal, paste a provided command, and press Return. What appears to be a routine identity check immediately triggers the entire infection chain.

What makes this attack especially dangerous is that it does not rely on any software flaw. There is no malicious file to download, no phishing attachment, and no drive-by exploit.

The attacker depends entirely on the user trusting the fake CAPTCHA. Once the command is run, the malware’s payload executes silently in the background, leaving no obvious sign that anything has gone wrong.

The damage potential of Infiniti Stealer is serious and far-reaching. The malware is built to harvest login credentials from Chromium-based browsers and Firefox, collect macOS Keychain entries, drain cryptocurrency wallets, take screenshots during execution, and pull plaintext secrets from developer environment files such as .env.

All collected data is sent to a remote server via HTTP POST requests, and the operator receives an immediate Telegram notification once the upload is complete.

Three-Stage Infection Chain

Once the victim runs the Terminal command, Infiniti Stealer works through three separate stages to complete the compromise. The first is a Bash dropper script that uses a template also found in earlier macOS stealers like MacSync, suggesting the use of a shared malware builder.

The script decodes an embedded payload, writes the next stage binary to the /tmp folder, strips the macOS quarantine attribute, and runs the file silently using nohup.

It then deletes itself and closes Terminal via AppleScript, ensuring the victim sees nothing unusual.

The second stage delivers an Apple Silicon Mach-O binary of around 8.6 MB, built using Nuitka’s onefile mode.

Unlike PyInstaller, Nuitka compiles Python source code into C and produces a native binary, making static analysis significantly harder for security tools. At runtime, this loader decompresses around 35 MB of embedded data and hands off execution to the final payload.

The third stage, UpdateHelper[.]bin is a Python 3.11 stealer also compiled with Nuitka.

Before stealing any data, it checks whether it is running inside known analysis environments including any.run, Joe Sandbox, Hybrid Analysis, VMware, or VirtualBox.

It also adds a randomized execution delay to avoid triggering automated detection systems.

If you suspect you may have been affected, take these steps immediately:

• Stop using the device for sensitive activity including banking, email, and work accounts
• Change passwords from a clean device, starting with email, Apple ID, and banking credentials
• Revoke active sessions and invalidate any API tokens or SSH keys
• Look for any unusual files placed in /tmp and ~/Library/LaunchAgents/
• Run a full security scan to detect and remove any remaining malware

No legitimate CAPTCHA page will ever ask you to open Terminal and run a command. If a website instructs you to do this, close it immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.