Another worrying mac OS malware scheme has been discovered — here's how to stay safe | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

Another worrying mac OS malware scheme has been discovered — here's how to stay safe

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Malwarebytes uncovers Infiniti Stealer targeting mac OS via Click Fix social engineering

Victims tricked into running malicious Terminal code, bypassing traditional defenses

Stealer compiled with Nuitka, exfiltrates browser credentials, Keychain data, wallets, and screenshots

Mac OS devices are being increasingly targeted with malware, as security researchers discover yet another infostealer variant in the wild.

Malwarebytes published an in-depth report on a piece of malware called Infiniti Stealer, which was apparently compiled in a rather unusual fashion.

Infiniti Stealer is apparently distributed via a Click Fix social engineering attack. A Click Fix attack tricks the victim by presenting a “problem” and, at the same time, offering a “solution”. In this case, Malwarebytes says the victims are being redirected to update-check[.]com (most likely through phishing emails claiming certain software needs updating in order to work properly) where they are shown a benign-looking CAPTCHA.

'The prevailing wisdom used to be that mac OS was at lower risk of malware infection compared to Windows...that’s no longer the case': Experts warn Mac infostealers are on the rise - here's how to stay safe

Dangerous new malware targets mac OS devices via Open VSX extensions - here's how to stay safe

'mac OS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional': Experts warn 'convincing' fake Clean My Mac installs target Apple users to empty crypto wallets

Besides the usual “I am not a robot” checkbox, the CAPTCHA has an additional step (which should also serve as a major red flag): to open Spotlight (the built-in search tool), run Terminal, and paste the given code. This code runs a dropper which, in turn, delivers Infiniti Stealer.

“Because the user runs the command directly, many traditional defenses are bypassed,” Malwarebytes explained. “There’s no exploit, no malicious attachment, and no drive‑by download.”

What makes this malware stand out is the fact that it is written in Python, but compiled with Nuitka, a compiler that converts Python code into standalone executables or optimized binaries.

The resulting product is a native mac OS binary which, according to the researchers, makes it harder to analyze and detect compared to your typical off-the-shelf Python-based malware.

“To our knowledge, this is the first documented mac OS campaign combining Click Fix delivery with a Nuitka-compiled Python stealer,” Malwarebytes said.

An infostealer is a malware variant designed to exfiltrate sensitive data from target devices. Usually delivered through social engineering, infostealers get installed through droppers, and try to upload various types of information to an attacker-controlled server, including browser data (cookies, stored passwords, cryptocurrency wallet plugins, etc.) passwords, sensitive files (.docx, .txt, .pdf, and other formats), and other files deemed of value.

Depending on the type of malware, these can try to upload more or less data, and come with different obfuscation and persistence mechanisms.

Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices

Open Claw AI agents targeted by infostealer malware for the first time

Infostealers are being disguised as Claude Code, Open Claw and other AI developer tools

Phishing is one of the most popular attack vectors today (Image credit: weerapatkiatdumrong / Getty Images)

Infiniti is capable of stealing a wide range of sensitive data. Primarily, it hunts for credentials from Chromium-based browsers, as well as Firefox. It can exfiltrate mac OS Keychain entries, cryptocurrency wallets, and plaintext secrets in developer files such as .env. Finally, it will also exfiltrate screenshots captured during execution.

Social engineering is a popular scam tactic, and phishing emails continue being the biggest attack vector out there. To prevent falling prey to these campaigns, exercise caution and a high level of skepticism towards any and all incoming communications, be it email, instant messaging, or phone. Double-check all links being shared in the email, and hunt for typos, letters replaced by numbers, and otherwise suspicious variations of known domains. (For example, microsoft is often spelled with an “RN” instead of “M” in phishing emails - rnicrosoft - making it almost indistinguishable).

Be careful when downloading attachments (especially when receiving an unexpected message) and make sure you’re running phishing-proof multi-factor authentication.

➡️ Read our full guide to the best antivirus

1. Best overall: Bitdefender Total Security
2. Best for families: Norton 360 with Life Lock
3. Best for mobile: Mc Afee Mobile Security

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow Tech Radar on Tik Tok for news, reviews, unboxings in video form, and get regular updates from us on Whats App too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, Io T, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

1 What is the release date for Invincible season 4 episode 5 on Prime Video?

2 Every notification takes 7 seconds of your attention, according to a study

3 The PS5 Pro shot up Amazon's best seller list after recent price hike announcement

4 Amazon just launched the biggest Yeti sale ever — 40 top deals

5 World Backup Day 2026: Save big with these top NAS deals

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• Another worrying mac OS malware scheme has been discovered — here's how to stay safe