A sneaky new virus called Infiniti Stealer is hitting Macs. It uses fake “fix it” buttons to fool people and grabs passwords, crypto wallets, and more.
Built with hidden Python code, it’s hard for antivirus software to spot. This malware spreads through fake emails, bad ads, or phony App Store alerts.
It relies on a trick called ClickFix. Imagine your browser shows a scary error like “Your Mac is broken!” with a big “Fix Now” button. You click, and it asks you to allow a “quick repair.” Step by step, it guides you through turning off Mac safety features and entering your password. Before you know it, the virus is inside.
Infiniti is written in Python but turned into a normal-looking Mac app using Nuitka. This tool hides the code so regular virus scanners miss it. The app acts like a system helper but secretly copies your private stuff. Once executed, Infiniti’s payload activates. Built primarily in Python, the malware compiles to a standalone macOS binary using Nuitka, a Python-to-C translator that evades traditional antivirus detection.
Nuitka strips Python bytecode, embeds dependencies, and produces an executable that mimics native apps, with anti-analysis features such as string encryption and dynamic API resolution. This obfuscation frustrates signature-based scanners; only behavioral heuristics from tools like CrowdStrike Falcon or SentinelOne catch it.
•Passwords from browsers like Chrome, Safari, and Firefox.
•Info from crypto apps like MetaMask or Exodus.
•Settings from VPNs like NordVPN.
•Pictures of your screen and saved Mac passwords.
It hides files in a secret folder, packs them, and sends them to hackers over the internet. Hackers even use Telegram to quietly control it.
Experts from Jamf and Kaspersky found it early this year on shady websites. Warning signs include apps pretending to be from “Infiniti Systems” or weird web addresses like fixupdate[.]cloud.
How it works, simply:
•Checks what apps you have.
•Hides itself to restart with your Mac.
•Deletes itself if it senses a test environment.
•Pretends to be a normal Mac process.
To stay safe:
•Keep Mac safety on (like Gatekeeper).
•Use a good antivirus like Malwarebytes.
•Check for strange startup items.
•Don’t click “fix” buttons from unknown sources.
•Practice spotting fake alerts.
According to Malwarebytes, new Mac updates help block some tricks, but hackers keep finding ways around. Macs aren’t as safe as they used to be, as more people use them. This virus shows why we all need to be careful online. Watch for pop-ups that push you to act fast.
This campaign underscores macOS’s no-longer “immune” status. Apple’s 30% desktop share invites commoditized stealers. Organizations should scan with YARA rules targeting Nuitka signatures and monitor for anomalous Python binaries. As Infiniti evolves, proactive threat hunting remains key.
About the Author
