Infinity Stealer Malware Is Using ClickFix Social Engineering to Hit macOS Users

Infinity Stealer Malware: How ClickFix Social Engineering Is Now Targeting macOS Users in 2026

Photo by Kevin Horvat on Unsplash

Key Takeaways

• Discovered on March 26, 2026 by Malwarebytes researcher Marcelo Rivero, Infinity Stealer (internally codenamed NukeChain) is the first documented macOS campaign combining ClickFix delivery with a Nuitka-compiled Python infostealer.
• The attack uses a pixel-perfect fake Cloudflare CAPTCHA page at update-check[.]com to trick users into pasting a malicious Terminal command — no software vulnerability needed.
• The malware steals browser credentials, macOS Keychain entries, cryptocurrency wallet seed phrases, SSH keys, developer .env secrets, screenshots, and session tokens, then alerts the attacker via Telegram.
• The native Apple Silicon ARM64 binary defeats bytecode-based detection tools, making user awareness your most critical first line of defense.

What Happened

On March 26, 2026, Malwarebytes macOS Research Lead Marcelo Rivero published findings on a newly identified malware family he had been tracking internally as NukeChain, now formally identified as Infinity Stealer. In Rivero's own words: "The macOS infostealer we first tracked as #NukeChain is now identified as #Infiniti Stealer." This marks a documented first: a macOS attack combining ClickFix delivery — a social engineering technique (a manipulation method that tricks people rather than exploiting software) — with a Python infostealer compiled using Nuitka into a fully native Apple Silicon binary.

The attack originates from the domain update-check[.]com, which hosts a pixel-perfect imitation of a Cloudflare CAPTCHA verification page. Visitors are told to paste a command into macOS Terminal to "prove they are human." That command is a base64-obfuscated (encoded to conceal its true purpose) curl instruction that silently downloads and executes the malware. Because the user runs the command themselves, macOS's Gatekeeper and quarantine defenses are bypassed entirely — no zero-day vulnerability (a security flaw with no available patch) required.

The final payload is a Python 3.11 infostealer compiled via Nuitka's onefile mode into a Mach-O binary (Apple's native executable format) approximately 8.6 MB in size, with an embedded ~35 MB zstd-compressed archive. Once running, it exfiltrates stolen data via HTTP POST while sending a Telegram notification to the attacker. The dropper strips macOS quarantine attributes, runs silently in the background using nohup, and self-deletes via AppleScript while closing the Terminal window to cover its tracks.

Photo by Egor Komarov on Unsplash

Why It Matters for Your Organization's Security

This discovery should reshape how your organization thinks about macOS risk — and it reinforces the need for consistent cybersecurity best practices across every device platform you manage, not just Windows machines.

ClickFix was previously documented primarily as a Windows-targeting social engineering vector. Its rapid and successful adaptation to macOS is a turning point. Multiple security firms — including Sophos, Datadog Security Labs, and Jamf Threat Labs — published parallel research in early 2026 documenting this same convergence of ClickFix delivery with sophisticated macOS payloads. The long-held assumption that Macs are low-risk malware targets is being systematically dismantled.

The scope of what Infinity Stealer collects makes a single infection potentially catastrophic. The malware targets browser credentials from Chromium and Firefox, macOS Keychain entries (the system's built-in password vault), cryptocurrency wallet seed phrases, SSH private keys (used for secure server access), developer .env files containing API keys and database passwords, full-screen screenshots, and active session tokens (authentication cookies that keep accounts logged in without a password). A single compromise could expose cloud infrastructure, financial accounts, development pipelines, and customer-facing systems simultaneously — a serious data protection concern for any business.

The connection to MacSync (also known as SHub) makes this threat even more credible. Infinity Stealer shares a Bash dropper template with MacSync, suggesting a common malware builder or shared threat actor ecosystem. MacSync ran documented ClickFix campaigns in November 2025, December 2025, and February 2026, targeting users in Belgium, India, North America, and South America — indicating a persistent, geographically broad operation with an active development cycle.

The evasion capabilities also create a significant incident response challenge. The malware performs anti-sandbox checks targeting at least five environments — Any.Run, Joe Sandbox, Hybrid Analysis, VMware, and VirtualBox — aborting execution if detected. More critically, Nuitka compilation produces a real native binary with no extractable bytecode layer. As Malwarebytes' report explains: "Compared to PyInstaller, which bundles Python with bytecode, it's more evasive because it produces a real native binary with no obvious bytecode layer, making reverse engineering much harder." This defeats the bytecode extraction methods that EDR (Endpoint Detection and Response) solutions have historically relied upon.

The practical conclusion: security awareness is now a hard technical control, not an optional add-on. This attack exploits no software flaw whatsoever. If your team knows never to paste commands into Terminal from a web page — regardless of how official that page appears — this entire attack chain fails. Reinforcing cybersecurity best practices at the human layer is as important as any endpoint tool you deploy.

Photo by Miłosz Klinowski on Unsplash

The AI Angle

Infinity Stealer exposes a growing gap in AI-assisted threat detection. Traditional signature-based detection (scanning files against known malicious patterns) is ineffective against Nuitka-compiled binaries because there is no accessible bytecode layer to analyze. This is accelerating the industry's shift to behavioral AI detection — systems that flag malicious activity based on what a program does at runtime, not what it looks like on disk.

Tools like Malwarebytes Endpoint Detection and Response and Jamf Protect (a macOS-native endpoint security platform) are incorporating AI-driven behavioral analysis to catch the anomalous patterns Infinity Stealer exhibits: Terminal processes spawning unexpected children, large outbound HTTP POST payloads, and Keychain access outside normal application contexts. AI-powered threat intelligence platforms are also correlating the shared Bash dropper templates across MacSync and Infinity Stealer campaigns, enabling faster attribution and earlier warning before new variants reach scale.

For security teams, the operational priority is clear: invest in endpoint tools with native Apple Silicon support that emphasize runtime behavioral monitoring. Static file analysis alone is no longer a sufficient data protection strategy against this generation of macOS infostealers.

What Should You Do? 3 Action Steps

1. Block the Known Domain and Run ClickFix Security Awareness Training

Add update-check[.]com to your DNS blocklist or web content filter immediately. More importantly, run security awareness training that specifically covers ClickFix social engineering — show employees what a fake CAPTCHA prompt looks like and establish a firm rule: no legitimate service ever instructs users to open Terminal and paste a command. This single behavioral policy defeats the Infinity Stealer kill chain at its first step and represents one of the highest-ROI cybersecurity best practices available to organizations of any size.

2. Audit Developer Secrets and Rotate Any Exposed Credentials

Infinity Stealer specifically targets .env files, SSH keys, and browser-stored passwords. Any Mac that may have visited a suspicious CAPTCHA page should be treated as potentially compromised. As part of your incident response procedure, rotate all API keys, cloud credentials, database passwords, and SSH key pairs on affected machines. Enforce a developer secrets policy: credentials belong in a dedicated secrets manager — such as 1Password Secrets Automation, HashiCorp Vault, or AWS Secrets Manager — not in plaintext files. This is a foundational data protection measure that limits the blast radius of any future infection.

3. Deploy a macOS-Native Behavioral EDR Solution

Your endpoint security stack for macOS needs to perform AI-driven runtime behavioral analysis, not just signature matching. Jamf Protect, CrowdStrike Falcon for Mac, or Malwarebytes EDR with full macOS support can detect the suspicious runtime behaviors Infinity Stealer exhibits. Ensure your chosen solution supports Apple Silicon ARM64 natively and receives regular threat intelligence feed updates — the MacSync and Infinity Stealer ecosystem has demonstrated a consistent campaign cadence through at least February 2026, and new variants should be expected.

Frequently Asked Questions

How do I know if my Mac has been infected by Infinity Stealer or NukeChain malware?

Signs of infection include a Terminal window that opened and closed unexpectedly, unfamiliar background processes in Activity Monitor, and unauthorized access to browser-saved passwords or cryptocurrency accounts. Because Infinity Stealer self-deletes after execution, on-disk evidence may be limited. If you suspect compromise, treat it as an incident response emergency: disconnect from the network, rotate all credentials stored on the device (browser passwords, SSH keys, .env secrets, and crypto seed phrases), and engage a qualified macOS security professional for forensic review. Published threat intelligence indicators of compromise (IOCs) from Malwarebytes' March 26, 2026 report can help your security team search endpoint logs for evidence of this specific campaign's artifacts.

How does the ClickFix social engineering attack on macOS work step by step?

A ClickFix attack presents the victim with a convincing fake web page — in this case, a pixel-perfect Cloudflare CAPTCHA at update-check[.]com. The page instructs the user to press a key combination that secretly copies a command to their clipboard, then open macOS Terminal and paste it. That command is a base64-obfuscated (encoded to disguise its content) curl instruction that downloads and runs the malware. Because the user executes the command manually, macOS Gatekeeper is bypassed — the OS sees a deliberate user action, not an unauthorized app launch. No software flaw is exploited anywhere in this chain. This is why security awareness training that teaches employees to recognize fake CAPTCHA prompts is the single most direct defense against this attack vector.

How can small businesses protect their Mac computers from credential-stealing malware in 2026?

Layer your defenses across three areas. First, make cybersecurity best practices for credential storage non-negotiable: use a password manager, store developer secrets in a dedicated secrets management platform rather than .env files, and enable hardware two-factor authentication (such as YubiKey) for critical accounts. Second, conduct regular security awareness training so employees recognize fake CAPTCHA pages and understand that Terminal commands from websites are never legitimate. Third, deploy a lightweight macOS endpoint security tool such as Malwarebytes for Teams or Jamf Protect, and enable DNS filtering to block known malicious domains. Enabling FileVault disk encryption and auditing which applications hold Keychain and Full Disk Access permissions are additional data protection measures that reduce the damage any successful infection can cause.

Why is Nuitka-compiled malware so much harder for antivirus tools to detect than PyInstaller-based malware?

PyInstaller packages Python scripts by bundling the interpreter alongside compiled bytecode (.pyc files) that security tools can extract and scan for malicious patterns. EDR (Endpoint Detection and Response) solutions have built detection pipelines around this approach. Nuitka works fundamentally differently: it compiles Python source code into C, then into a true native binary — in this case, an Apple Silicon ARM64 Mach-O executable approximately 8.6 MB in size with a ~35 MB embedded compressed payload. The resulting file contains no Python-specific artifacts and no extractable bytecode. As Malwarebytes documented, this "makes reverse engineering much harder" and defeats the bytecode extraction methods that threat intelligence and detection teams have historically depended upon, forcing a full pivot to runtime behavioral analysis as the primary detection strategy.

What should I do immediately if my macOS Keychain or cryptocurrency wallet may have been compromised by infostealer malware?

Speed matters — act within the first hour if possible. For Keychain and browser credentials: change passwords for all financial accounts, email, and cloud services immediately, prioritizing the most critical. Enable or verify two-factor authentication across all important accounts. For cryptocurrency: if your seed phrase was stored anywhere on a potentially compromised Mac, assume full wallet compromise. Transfer all assets to a wallet generated on a clean, uncompromised device as quickly as possible and never reuse the same seed phrase. For SSH keys and developer credentials: revoke all key pairs, rotate API keys and database passwords, and review cloud provider access logs for unauthorized activity. As part of your broader incident response, preserve system logs before they are overwritten and report financial losses to the appropriate authorities. Practicing strong data protection hygiene — keeping secrets out of browsers and .env files — significantly reduces the damage even when an initial breach does occur.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.