CAPTCHA Con: Mac Users Fooled by Fake Cloudflare Page in Sophisticated Malware Heist

It started with what looked like a routine hurdle: a Cloudflare verification page, the kind millions see each day to prove they're not bots. But for an unlucky group of Mac users, this checkpoint was the first step in an elaborate digital ambush. Behind the familiar CAPTCHA façade lurked a new variant of the ClickFix attack, now fine-tuned to slip past macOS defenses and deliver a stealthy information thief - Infiniti Stealer.

The anatomy of this attack reads like a cybercriminal’s playbook for the modern Mac era. Victims land on a page masquerading as a Cloudflare human verification portal. Instead of clicking images to identify traffic lights or crosswalks, users are instructed - under the guise of “proving you’re real” - to copy and paste a command into their Terminal. This social engineering twist, known as ClickFix, has been around since August 2024, but its seamless adaptation to macOS marks a new chapter in cross-platform malware campaigns.

Once the command is executed, the user's machine quietly downloads a Bash script from a remote server. The script does more than just fetch malware: it decodes an embedded payload, writes a new binary to a temporary folder, strips away the quarantine flag, and launches the real threat - all while erasing its own tracks and closing the Terminal window to avoid suspicion.

The dropped binary, built using Nuitka (a tool that compiles Python to native code), further complicates detection. Traditional antivirus tools, tuned to spot Python scripts, are left flat-footed by this native binary. Once running, the loader decompresses its hidden cargo: Infiniti Stealer. This malware is a digital pickpocket - rifling through browser logins, Apple Keychain secrets, cryptocurrency wallets, sensitive developer files, and even grabbing screenshots of the user’s desktop.

All stolen information is quietly sent back to a command-and-control (C&C) server using HTTP POST requests. The operation doesn’t stop there; the malware notifies its operators via Telegram, and credentials harvested are queued up for password cracking on the attacker’s infrastructure. For stealth, Infiniti Stealer employs randomized delays and checks to ensure it’s not running in an analysis environment, raising the bar for defenders.

Security experts warn that the use of legitimate branding - like Cloudflare’s - combined with technical innovations such as Nuitka compilation, signals a growing sophistication in Mac-targeted attacks. What once was a Windows-only menace is now a multi-platform threat, and the success of these campaigns could inspire a surge in similar tactics targeting unsuspecting Mac users worldwide.

The lesson is stark: even the most familiar web pages can be weaponized, and Mac users can no longer rely on obscurity as a shield. As attackers refine their social engineering and technical methods, vigilance and skepticism are more crucial than ever in the fight against digital deception.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Bash Script: A Bash script is a file with commands for the Bash shell, used to automate and simplify tasks on Unix-like operating systems.
• Nuitka: Nuitka is a Python compiler that converts scripts into native binaries, often used by attackers to make malware analysis and detection more difficult.
• Keychain: Keychain is Apple’s secure storage system for passwords and sensitive data, using encryption to protect user credentials on macOS and iOS devices.