GoPlus: Malicious software Infiniti Stealer targets Mac users with attacks on encrypted wallets

DeepFlowTech · 2026-03-30T10:36:48+00:00

A malicious software called Infiniti Stealer conducts social engineering attacks using "ClickFix" to target Mac users' crypto wallets and sensitive credentials. The attacker impersonates the Cloudflare CAPTCHA page to trick users into executing malicious commands, stealing browser credentials, keychains, and developer keys, with the ability to evade tracking.

DeepFlowTech

2026-03-30 10:36:48

Abstract generation in progress

Deep Tide TechFlow message. On March 30, according to GoPlus Security, a data-stealing malware called Infiniti Stealer is using a “ClickFix” social engineering attack to target encryption wallets and sensitive credentials for Mac users.

The attackers forge a highly realistic Cloudflare verification code page, tricking users into opening the terminal and manually pasting to execute malicious commands. After the commands are executed, the script removes the macOS quarantine attribute and writes the next stage payload into the /tmp directory to run silently. The final payload is a native macOS binary compiled with Nuitka, significantly increasing the difficulty for security tools to detect it.

Once Infiniti Stealer is deployed, it can steal credentials from Chromium/Firefox browsers, the macOS keychain, encryption wallets, and developer key files (such as .env files), and it also has sandbox detection and delayed execution capabilities to evade tracking.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.