macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports.
The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal.
Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices and has been widely used in attacks since August 2024, mainly against Windows users.
For more than half a year, however, attacks tailored for macOS have become increasingly convincing, and the variant observed by Malwarebytes is no different.
The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution.
Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.
The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal.
The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult.
At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware.
The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution.
The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server.
For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment.
“Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes.
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: MacSync macOS Malware Distributed via Signed Swift Application
Facts Only
macOS users are targeted in a ClickFix campaign using a fake Cloudflare verification page.
The attack starts with a fake CAPTCHA page that instructs users to paste and execute a command in Terminal.
ClickFix has been used in attacks since August 2024, primarily against Windows users.
The fake verification page provides macOS-specific instructions to execute a malicious command.
The command fetches a Bash script from a remote server, which decodes and executes a second-stage binary.
The binary is a loader compiled using Nuitka, a tool that converts Python code into native binaries.
The loader decompresses embedded data and launches the Infiniti Stealer malware.
Infiniti Stealer targets browser credentials, Keychain information, cryptocurrency wallets, and developer secrets.
Stolen data is sent to a command-and-control server via HTTP POST requests.
The malware uses evasion techniques, including randomized execution delays and checks for analysis environments.
Malwarebytes reports that this attack demonstrates the adaptation of Windows-focused techniques to macOS.
Executive Summary
Full Take
The ClickFix campaign targeting macOS users is a clear example of how threat actors are refining their social engineering tactics to exploit trust in legitimate services like Cloudflare. The use of a fake verification page to trick users into executing malicious commands is a well-worn technique, but its adaptation to macOS—with tailored instructions and native binary compilation—shows a sophisticated evolution. The malware’s ability to evade detection by compiling Python into native code and its focus on stealing sensitive data like cryptocurrency wallets and Keychain information underscore the financial motivations behind such attacks.
This campaign echoes broader trends in cybercrime, where attackers increasingly target macOS users, who have historically been less frequent victims than Windows users. The shift suggests that as macOS adoption grows, so does its appeal to cybercriminals. The use of Telegram for notifications and credential cracking also aligns with the operational patterns of modern malware, where automation and scalability are key.
For users, this highlights the importance of skepticism toward unsolicited verification prompts and the dangers of executing terminal commands from untrusted sources. The broader implication is that as malware techniques become more cross-platform, users across all operating systems must adopt robust security practices.
**Patterns detected: ARC-0024 Ambiguity (use of legitimate-looking verification pages to mask malicious intent), ARC-0043 Motte-and-Bailey (presenting as a harmless verification while delivering malware).**
**Bridge questions:**
How might the increasing sophistication of macOS malware change the security landscape for Apple users?
What role do social engineering tactics play in the success of such campaigns, and how can users better recognize them?
If this attack were part of a coordinated influence campaign, the playbook would likely involve exploiting trust in widely used services (like Cloudflare) to distribute malware, leveraging the credibility of those services to lower user defenses. However, the content here appears to be a genuine security report rather than a coordinated influence operation.
