How does Infinity Stealer evade detection?

Infinity Stealer uses a Python payload compiled with Nuitka, producing a native binary that is more resistant to static analysis and harder to detect.

Infinity Stealer: A New Threat to macOS Users

Q: What data does Infinity Stealer target?

Infinity Stealer exfiltrates browser credentials, Keychain entries, cryptocurrency wallets, and plaintext secrets from developer files.

Discover how Infinity Stealer exploits the ClickFix technique and Nuitka-compiled payloads to compromise macOS systems and steal sensitive data.

Published: March 28, 2026

Share this on:

Executive Summary

In March 2026, a new macOS-targeted malware named Infinity Stealer emerged, utilizing the ClickFix technique to deceive users into executing malicious code. The malware is delivered through fake CAPTCHA prompts that mimic Cloudflare's human verification, instructing users to paste a base64-obfuscated curl command into the macOS Terminal. This command downloads and executes a Python payload compiled with Nuitka, resulting in a native binary that is more resistant to static analysis. Once executed, Infinity Stealer performs anti-analysis checks and proceeds to exfiltrate sensitive data, including browser credentials, Keychain entries, cryptocurrency wallets, and plaintext secrets from developer files, via HTTP POST requests to a command-and-control server. (microsoft.com)

The emergence of Infinity Stealer highlights a growing trend of sophisticated malware targeting macOS systems, leveraging advanced social engineering techniques and cross-platform development tools. This incident underscores the importance of user vigilance and the need for robust security measures to protect against evolving threats.

Why This Matters Now

The rise of sophisticated macOS-targeted malware like Infinity Stealer demonstrates that attackers are increasingly focusing on Apple's ecosystem, exploiting user trust and advanced evasion techniques. Organizations and individuals must enhance their security posture to defend against these evolving threats.

Attack Path Analysis

The Infinity Stealer attack begins with a ClickFix lure, tricking users into executing a malicious command in the macOS Terminal. This command downloads and executes a Python-based infostealer compiled with Nuitka, which performs anti-analysis checks before harvesting sensitive data. The malware then establishes a command-and-control channel to exfiltrate the collected information.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Lowinferred

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

The attacker uses a ClickFix lure, presenting a fake CAPTCHA that instructs the user to paste a base64-obfuscated curl command into the macOS Terminal, leading to the download and execution of a malicious script.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566.001

Spearphishing Attachment

Execution

T1204.002

Malicious File

Execution

T1059.006

Command and Scripting Interpreter: Python

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

Credential Access

T1555.001

Credentials from Password Stores: Keychain

Collection

T1113

Screen Capture

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malicious Software Prevention

Control ID: 6.4.3

The incident demonstrates a failure to prevent the execution of malicious software, indicating inadequate anti-malware controls.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack highlights deficiencies in the organization's cybersecurity policy, particularly in addressing social engineering and malware threats.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach indicates shortcomings in the ICT risk management framework, especially in identifying and mitigating risks associated with phishing and malware.

CISA ZTMM 2.0 – User Training and Awareness

Control ID: 3.1

The successful phishing attack suggests insufficient user training and awareness programs to recognize and resist social engineering tactics.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals gaps in implementing appropriate cybersecurity risk management measures to prevent unauthorized access and data exfiltration.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Infinity Stealer's Python-based payload targeting developer files and .env secrets poses critical risks to software development environments and source code protection.

Financial Services

macOS infostealer harvesting cryptocurrency wallets and browser credentials threatens financial institutions using Apple systems for secure transaction processing and client data.

Information Technology/IT

ClickFix social engineering bypassing macOS defenses requires enhanced security controls and user training for IT organizations managing enterprise Apple deployments.

Computer/Network Security

Nuitka-compiled malware evading static analysis demonstrates evolution of macOS threats requiring updated detection capabilities and endpoint protection strategies.

Sources

New Infinity Stealer malware grabs macOS data via ClickFix lureshttps://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/
Verified

Infostealers without borders: macOS, Python stealers, and platform abusehttps://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/

Verified

Fake macOS help sites push Shamos infostealer via ClickFix techniquehttps://www.helpnetsecurity.com/2025/08/25/fake-macos-help-sites-push-shamos-infostealer-via-clickfix-technique/

Verified

Frequently Asked Questions

ClickFix is a social engineering tactic that presents fake CAPTCHA prompts to trick users into executing malicious commands in the Terminal, leading to malware installation.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to execute unauthorized scripts may be constrained by enforcing strict identity-aware access controls and monitoring for anomalous command executions.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could be limited by enforcing strict segmentation policies that restrict access to sensitive system components.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's potential lateral movement within the network could be constrained by monitoring and controlling east-west traffic between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command-and-control channels may be limited by monitoring and controlling outbound communications across multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data could be constrained by enforcing strict egress policies that monitor and control outbound data flows.

Impact (Mitigations)

The potential impact of unauthorized data access and identity theft could be reduced by limiting the attacker's ability to exfiltrate sensitive information.

Impact at a Glance

Affected Business Functions

User Credential Management
Cryptocurrency Transactions
Software Development
Web Browsing

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

User credentials from browsers and Keychain, cryptocurrency wallet information, and plaintext secrets in developer files.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized execution of scripts and binaries.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of malware execution.
• Educate users on the risks of executing unverified commands and the importance of verifying the authenticity of prompts.
• Regularly update and patch systems to mitigate vulnerabilities that could be exploited by malware.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Infinity Stealer: A New Threat to macOS Users

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

Malicious File

Command and Scripting Interpreter: Python

Deobfuscate/Decode Files or Information

Credentials from Password Stores: Keychain

Screen Capture

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Malicious Software Prevention

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User Training and Awareness

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Financial Services

Information Technology/IT

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads