Skip to content
Chimera readability score 0.5227 out of 100, reading level.

macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports.
The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal.
Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices and has been widely used in attacks since August 2024, mainly against Windows users.
For more than half a year, however, attacks tailored for macOS have become increasingly convincing, and the variant observed by Malwarebytes is no different.
The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution.
Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.
The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal.
The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult.
At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware.
The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution.
The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server.
For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment.
“Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes.
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: MacSync macOS Malware Distributed via Signed Swift Application

Facts Only

macOS users are targeted in a ClickFix campaign using a fake Cloudflare verification page.
The attack starts with a fake CAPTCHA page that instructs users to paste and execute a command in Terminal.
ClickFix has been used in attacks since August 2024, primarily against Windows users.
The fake verification page provides macOS-specific instructions to execute a malicious command.
The command fetches a Bash script from a remote server, which decodes and executes a second-stage binary.
The binary is a loader compiled using Nuitka, a tool that converts Python code into native binaries.
The loader decompresses embedded data and launches the Infiniti Stealer malware.
Infiniti Stealer targets browser credentials, Keychain information, cryptocurrency wallets, and developer secrets.
Stolen data is sent to a command-and-control server via HTTP POST requests.
The malware uses evasion techniques, including randomized execution delays and checks for analysis environments.
Malwarebytes reports that this attack demonstrates the adaptation of Windows-focused techniques to macOS.

Executive Summary

A new cyberattack campaign, dubbed ClickFix, is targeting macOS users with a Python-based information stealer called Infiniti Stealer. The attack begins with a fake Cloudflare verification page that prompts users to execute a malicious command in Terminal. Once executed, the command fetches a Bash script from a remote server, which then deploys the malware. The malware, compiled using Nuitka to evade detection, steals browser credentials, Keychain data, cryptocurrency wallets, and other sensitive information, sending it to a command-and-control server. The campaign has been active since at least August 2024, initially focusing on Windows users but now increasingly targeting macOS with more convincing tactics. Malwarebytes notes that this adaptation of Windows-focused techniques to macOS highlights a growing trend in cross-platform malware development.

Full Take

The ClickFix campaign targeting macOS users is a clear example of how threat actors are refining their social engineering tactics to exploit trust in legitimate services like Cloudflare. The use of a fake verification page to trick users into executing malicious commands is a well-worn technique, but its adaptation to macOS—with tailored instructions and native binary compilation—shows a sophisticated evolution. The malware’s ability to evade detection by compiling Python into native code and its focus on stealing sensitive data like cryptocurrency wallets and Keychain information underscore the financial motivations behind such attacks.
This campaign echoes broader trends in cybercrime, where attackers increasingly target macOS users, who have historically been less frequent victims than Windows users. The shift suggests that as macOS adoption grows, so does its appeal to cybercriminals. The use of Telegram for notifications and credential cracking also aligns with the operational patterns of modern malware, where automation and scalability are key.
For users, this highlights the importance of skepticism toward unsolicited verification prompts and the dangers of executing terminal commands from untrusted sources. The broader implication is that as malware techniques become more cross-platform, users across all operating systems must adopt robust security practices.
**Patterns detected: ARC-0024 Ambiguity (use of legitimate-looking verification pages to mask malicious intent), ARC-0043 Motte-and-Bailey (presenting as a harmless verification while delivering malware).**
**Bridge questions:**
How might the increasing sophistication of macOS malware change the security landscape for Apple users?
What role do social engineering tactics play in the success of such campaigns, and how can users better recognize them?
If this attack were part of a coordinated influence campaign, the playbook would likely involve exploiting trust in widely used services (like Cloudflare) to distribute malware, leveraging the credibility of those services to lower user defenses. However, the content here appears to be a genuine security report rather than a coordinated influence operation.

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs — Arc Codex