Infinity Stealer macOS infostealer activity
Malware Activity
Summary
Hide ▲
Show ▼
Infinity Stealer is a macOS infostealer being delivered through a ClickFix lure and is able to steal high-value credentials and secrets. The payload is compiled with Nuitka into a native Mach-O binary, which makes static analysis and detection harder. It can collect browser logins, macOS Keychain entries, cryptocurrency wallets, and .env secrets before exfiltrating them to C2.
Related Happenings
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Timeline
-
28.03.2026 16:35 2 articles · 3mo ago
Malwarebytes documents Infinity Stealer macOS ClickFix campaign
Initial DisclosureMalwarebytes documented a new macOS infostealer campaign using ClickFix lures and a fake Cloudflare CAPTCHA on update-check[.]com to trick users into pasting a base64-obfuscated curl command into the macOS Terminal. The chain writes a stage-2 loader to /tmp, removes the quarantine flag, runs it via nohup, and delivers UpdateHelper.bin as an Infinity Stealer payload compiled from Python with Nuitka into a native Mach-O binary that performs anti-analysis checks and steals browser credentials, macOS Keychain entries, cryptocurrency wallets, and .env secrets before exfiltrating data by HTTP POST and triggering a Telegram notification.
Show sources
- New Infinity Stealer malware grabs macOS data via ClickFix lures — www.bleepingcomputer.com — 28.03.2026 16:35
- New Infinity Stealer malware grabs macOS data via ClickFix lures — www.bleepingcomputer.com — 28.03.2026 16:35