Full Report
Matt Binder reports that Mac users have a new malware threat to be on the watch out for. According to a new report by Malwarebytes, Infiniti Stealer is a new malware attack targeting Mac users that utilizes social engineering tactics and, once the payload is delivered to the device, is very difficult to detect. The hacker’s... Source
Analysis Summary
# Tool/Technique: Infiniti Stealer
## Overview
Infiniti Stealer is a newly discovered infostealer malware specifically targeting macOS users. It relies heavily on a specialized social engineering campaign known as "ClickFix" to bypass traditional security gatekeepers by tricking users into manually executing malicious commands via the system Terminal. Once installed, it is designed to exfiltrate sensitive data while maintaining a low detection profile.
## Technical Details
- **Type:** Malware Family (Infostealer)
- **Platform:** macOS
- **Capabilities:** Credential theft, data exfiltration, social engineering-driven delivery, evasion of automated detection.
- **First Seen:** Early 2026 (Reported March 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1204.002 - User Execution: Malicious File/Command
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1027 - Obfuscated Files or Information (via Python/Nuitka packaging)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Automated Data Harvesting:** Scans the system for browser credentials, cookies, and other sensitive files for exfiltration.
- **Terminal-Based Delivery:** Uses the user's own administrative context to download and execute the payload, bypassing many "unverified developer" macOS security prompts.
- **Stealth Profiles:** Utilizes Python (often compiled with Nuitka) to create a standalone binary that can be more difficult for traditional antivirus scanners to flag compared to raw scripts.
### Advanced Features
- **ClickFix Social Engineering:** Uses a fake "Human Verification" or "Update Required" lure. It presents a spoofed Cloudflare captcha that "fails," prompting a "manual step" where the user is instructed to copy-paste a malicious command line into the Terminal.
- **Process Impersonation:** Leverages legitimate system tools (Spotlight and Terminal) to establish the initial infection vector.
## Indicators of Compromise
- **File Hashes:** *(Specific hashes for current variants are typically found in the full Malwarebytes technical report; none were explicitly listed in the provided summary text.)*
- **File Names:** Often disguised as system updates or verification tools.
- **Network Indicators:**
- `hxxps[:]//[redacted-c2-domain][.]com`
- Fake verification domains mimicking Cloudflare or browser update pages.
- **Behavioral Indicators:**
- User launching Terminal via Spotlight and pasting base64 encoded or `curl | sh` style strings.
- Unexpected outbound network connections from Python-based binaries.
## Associated Threat Actors
- Currently attributed to actors utilizing the **ClickFix** campaign infrastructure (commonly associated with diverse cybercriminal groups leveraging Traffic Distribution Systems).
## Detection Methods
- **Signature-based detection:** Monitoring for MD5/SHA256 signatures of Python-compiled binaries associated with the Infiniti family.
- **Behavioral detection:** Flagging instances where Terminal is opened immediately following a web browser interaction with unfamiliar domains, or the execution of suspicious `curl` commands.
- **EDR Monitoring:** Identifying unauthorized access to Keychain files or browser profile directories by unsigned or newly signed binaries.
## Mitigation Strategies
- **User Education:** Train users to never copy and paste commands from a website into their Terminal or PowerShell, regardless of how official the site appears.
- **Endpoint Security:** Ensure macOS security features like Gatekeeper and XProtect are active and supplemented with modern EDR (Endpoint Detection and Response) tools.
- **Browser Filtering:** Implement DNS filtering or web security gateways to block known ClickFix/Phishing landing pages.
## Related Tools/Techniques
- **ClickFix:** The specific social engineering framework used for delivery.
- **ClearFake:** A similar campaign that uses fake browser updates.
- **Nuitka:** The Python compiler often used by malware authors to obfuscate code.
- **AMOS (Atomic macOS Stealer):** A similar macOS-targeting infostealer.