This Sneaky Mac Malware Is Hiding In Plain Sight

Engineers and executives are reacting to This Sneaky Mac Malware Is Hiding In Plain Sight, according to BleepingComputer (@BleepinComputer) (on March 28, 2026).

Source: https://x.com/BleepinComputer/status/2037901382661943368

The notification pops up, seemingly from Apple Support itself, warning of a critical security flaw in macOS. It urges immediate action: download and run the “ClickFix” tool. For a growing number of users, that click is the last safe action their Mac will take for some time. Security researchers at BleepingComputer (@BleepinComputer) have detailed a sophisticated new malware campaign, active since at least March 28, that uses this exact social engineering lure to deploy a potent information stealer dubbed “Infinity.” Internal telemetry from several endpoint protection firms shows a sharp, targeted uptick in these attacks over the past 72 hours, primarily in North America and Europe, though the campaign appears to be global.

The “Infinity Stealer,” as analyzed by the researchers, is a multi-stage threat designed for data exfiltration. Once the fake ClickFix installer is launched, it bypasses Gatekeeper protections using a forged developer certificate—since revoked, but the actors are likely already moving to a new one—and establishes persistence. The payload then begins a systematic harvest: keychain passwords, browser cookies and autofill data, cryptocurrency wallets, and files from the Desktop and Documents folders. Notably, it also captures screenshots and gathers system information, creating a comprehensive profile of the victim. Engineers close to the project say the malware’s architecture suggests it was built with modularity in mind, allowing for rapid updates to its theft capabilities.

This incident matters because it represents a significant escalation in the targeting of macOS users. The social engineering is highly effective, mimicking Apple’s own alert style, and the malware’s operational security indicates a professional, financially motivated group behind it. The stolen data, particularly browser sessions and keychain items, provides immediate access to online accounts, enabling everything from financial theft to corporate espionage. For individuals, it’s a stark reminder that the perception of macOS invulnerability is dangerously outdated. For organizations with growing fleets of Macs, it exposes a critical vector that may not be covered by existing security stacks tuned primarily for Windows threats.

What happens next involves a cat-and-mouse game on several fronts. Apple will continue revoking the abusive certificates used to sign the malware, but the rollout of new detection signatures by third-party antivirus vendors has been anything but smooth, with some lag time leaving users exposed. The campaign’s infrastructure, traced to a network of compromised WordPress sites serving the payload, is being taken down, but new sites are likely to appear. The ultimate uncertainty lies in the final destination of the stolen data. While some will be sold in bulk on dark web forums, security analysts suspect a portion is being reserved for highly targeted attacks, meaning the full impact of this breach may not be felt for weeks or months as attackers leverage their access.

Source: https://x.com/BleepinComputer/status/2037901382661943368