Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

Summary

A ClickFix social engineering campaign adapted for macOS users leverages a fake Cloudflare verification page to trick victims into executing a Terminal command. The infection chain downloads a Bash script that deploys a Nuitka-compiled loader, which executes Infiniti Stealer—a Python-based infostealer targeting browser credentials, Keychain data, cryptocurrency wallets, and developer secrets. The malware exfiltrates data via HTTP POST to a C&C server and notifies operators via Telegram.

Full text

macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports. The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal. Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices and has been widely used in attacks since August 2024, mainly against Windows users. For more than half a year, however, attacks tailored for macOS have become increasingly convincing, and the variant observed by Malwarebytes is no different. The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution. Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.Advertisement. Scroll to continue reading. The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal. The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult. At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware. The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution. The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server. For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment. “Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes. Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer Related: ‘SolyxImmortal’ Information Stealer Emerges Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects Related: MacSync macOS Malware Distributed via Signed Swift Application Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareOnit Security Raises $11 Million for Exposure Management PlatformiOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security RisksFrom Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPIExtortion Group Claims It Hacked AstraZeneca Latest News Pro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal AccountIn Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum DeadlineOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesRSAC 2026 Conference Announcements Summary (Days 3-4)Coruna iOS Exploit Kit Likely an Update to Operation TriangulationCISA Flags Critical PTC Vulnerability That Had German Police MobilizedHightower Holding Data Breach Impacts 130,000 Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Infiniti Stealer
• malware — ClickFix