Find notable cyber news and cases, enriched with sources, timelines, and signals.

Infinity Stealer macOS infostealer activity

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Infinity Stealer is a macOS infostealer being delivered through a ClickFix lure and is able to steal high-value credentials and secrets. The payload is compiled with Nuitka into a native Mach-O binary, which makes static analysis and detection harder. It can collect browser logins, macOS Keychain entries, cryptocurrency wallets, and .env secrets before exfiltrating them to C2.

Related Happenings

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Timeline

  1. 28.03.2026 16:35 2 articles · 3mo ago

    Malwarebytes documents Infinity Stealer macOS ClickFix campaign

    Initial Disclosure

    Malwarebytes documented a new macOS infostealer campaign using ClickFix lures and a fake Cloudflare CAPTCHA on update-check[.]com to trick users into pasting a base64-obfuscated curl command into the macOS Terminal. The chain writes a stage-2 loader to /tmp, removes the quarantine flag, runs it via nohup, and delivers UpdateHelper.bin as an Infinity Stealer payload compiled from Python with Nuitka into a native Mach-O binary that performs anti-analysis checks and steals browser credentials, macOS Keychain entries, cryptocurrency wallets, and .env secrets before exfiltrating data by HTTP POST and triggering a Telegram notification.

    Show sources