A new macOS malware, dubbed Infiniti Stealer, is stealthily targeting Mac users by impersonating legitimate Cloudflare CAPTCHA pages. This sophisticated threat leverages a social engineering tactic known as ClickFix, tricking users into executing malicious commands directly on their systems, thereby bypassing traditional software vulnerabilities. The discovery of Infiniti Stealer challenges the often-held assumption that macOS systems are inherently resistant to malware and marks a significant development in macOS cyber threats.
Initially tracked under the internal name NukeChain by Malwarebytes researchers during threat hunting, the campaign’s true nature was revealed when the threat actor’s control panel was accidentally exposed online. This public disclosure confirmed the malware’s name, Infiniti Stealer, and underscored the organized and persistent nature of this campaign specifically targeting macOS users. The findings highlight the evolving tactics of cybercriminals targeting the Apple ecosystem.
Infiniti Stealer: A Deceptive Cloudflare CAPTCHA Attack on macOS
The attack vector employed by Infiniti Stealer begins with a malicious domain, update-check[.]com, which hosts a visually convincing replica of a Cloudflare human verification page. Visitors to this imposter page are presented with instructions to open the macOS Terminal application and paste a specific command, followed by pressing the Enter key. While appearing as a standard security measure, this action initiates a cascading infection chain.
A key characteristic of this attack is its reliance solely on user deception, rather than exploiting any known software flaw. Unlike typical malware delivery methods that involve downloading malicious files, phishing attachments, or drive-by exploits, Infiniti Stealer depends entirely on the user’s trust in the fake CAPTCHA. Once the command is executed, the malware’s payload runs silently in the background, leaving minimal outward indication of a compromise.
The potential for damage caused by Infiniti Stealer extends significantly. Its capabilities include the theft of login credentials from popular Chromium-based browsers and Firefox, the exfiltration of sensitive data stored within macOS Keychain, and the draining of cryptocurrency wallets. Furthermore, the malware can capture screenshots during its operation and retrieve plaintext secrets from developer-centric environment files, such as .env files. All pilfered data is transmitted to a remote server via HTTP POST requests, with the threat actor receiving immediate notifications via Telegram upon successful data upload.
The Three-Stage Infection Chain of Infiniti Stealer
Upon execution of the Terminal command by a victim, Infiniti Stealer progresses through a meticulously designed three-stage infection process. The initial stage involves a Bash dropper script, which shares functional similarities with earlier macOS stealers like MacSync, suggesting the use of a common malware construction kit by attackers. This script serves to decode an embedded malicious payload.
Following the decoding, the first stage writes the subsequent stage binary into the temporary directory located at /tmp. It then systematically removes the macOS quarantine attribute from the file, ensuring it can execute without further restrictions. The script utilizes the `nohup` command for silent background execution and subsequently deletes itself, employing AppleScript to close the Terminal window, thereby masking its presence and operation from the user.
The second stage consists of an Apple Silicon Mach-O binary, approximately 8.6 MB in size, compiled using Nuitka’s onefile compilation mode. Unlike PyInstaller, Nuitka translates Python source code into C and then compiles it into a native binary, making static analysis considerably more challenging for cybersecurity tools. At runtime, this loader binary decompresses roughly 35 MB of embedded data and delegates the execution control to the final payload, known as the stealer.
The third and final stage, identified as `UpdateHelper[.]bin`, is a Python 3.11 stealer, also compiled using Nuitka. Before initiating any data collection, this component performs checks to determine if it is operating within known analysis environments, such as any.run, Joe Sandbox, Hybrid Analysis, VMware, or VirtualBox. To evade early detection by automated security systems, it also incorporates a randomized delay mechanism before executing its primary functions.
Those who suspect their macOS system may have been compromised by Infiniti Stealer should take immediate precautionary measures. This includes ceasing all sensitive activities on the affected device, such as online banking, accessing email accounts, and conducting work-related tasks. It is crucial to change passwords from a verified clean device, prioritizing critical accounts like email, Apple ID, and banking credentials. Additionally, users should revoke any active logged-in sessions, invalidate API tokens, and revoke active SSH keys.
A thorough inspection for any unusual files in the /tmp directory and the ~/Library/LaunchAgents/ folder is recommended. Finally, running a comprehensive security scan with reputable anti-malware software is essential to detect and remove any lingering malicious components. It is vital for users to remember that no legitimate CAPTCHA page will ever instruct them to open Terminal and execute commands. If encountered, such a website should be closed immediately.