Infinity Stealer Hits macOS via ClickFix, China's Red Menshen Embeds BPFDoor in Telecom Networks, Ajax Amsterdam Fan Data Breach
A new macOS info-stealer called Infinity uses ClickFix fake-CAPTCHA lures and Nuitka-compiled Python to evade detection. China-linked Red Menshen embeds kernel-level BPFDoor implants deep in telecom networks as "digital sleeper cells" for government espionage. AFC Ajax Amsterdam discloses a breach exposing 300,000+ fan accounts and 42,000 season tickets. Microsoft rolls out Smart App Control improvements in Windows 11.
🔴 Infinity Stealer — New macOS Malware Uses ClickFix and Nuitka Evasion
⚠️ ACTIVE THREAT — macOS Users at Risk
A new info-stealer named Infinity targets macOS systems using ClickFix social engineering lures. The malware is compiled with Nuitka, making it significantly harder to detect via static analysis than typical Python-based stealers.
Researchers at Malwarebytes have documented the first macOS campaign combining ClickFix delivery with a Nuitka-compiled Python infostealer. The attack represents a significant evolution in macOS threat sophistication.
Attack Chain
- ClickFix lure: The victim visits
update-check[.]com, which presents a fake Cloudflare CAPTCHA asking the user to paste a base64-obfuscatedcurlcommand into the macOS Terminal - Stage-1 Bash script: The decoded command writes the Nuitka loader to
/tmp, removes the quarantine flag viaxattr, and executes it withnohup. It passes C2 and token information via environment variables, then self-destructs - Stage-2 Nuitka loader: An 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive with the final payload (
UpdateHelper.bin) - Stage-3 Infinity Stealer: Python 3.11 payload that performs anti-VM checks, then harvests credentials and exfiltrates via HTTP POST with Telegram notification
What Infinity Steals
- Chromium and Firefox credentials — saved passwords, cookies, autofill data
- macOS Keychain entries — system-wide stored secrets
- Cryptocurrency wallets — all major wallet applications
- Developer secrets — plaintext credentials in
.envfiles, SSH keys, cloud tokens - Screenshots — visual capture of desktop activity
Why Nuitka Matters
Unlike PyInstaller, which bundles Python bytecode that's relatively easy to reverse-engineer, Nuitka compiles Python to C code and then produces a genuine native binary. There's no obvious bytecode layer to decompile, making reverse engineering substantially harder and rendering many AV heuristics that flag PyInstaller bundles completely ineffective.
🛡️ Defense: Never paste commands from websites into Terminal. Cloudflare CAPTCHAs never require Terminal commands. macOS users should consider endpoint detection tools that monitor xattr -d com.apple.quarantine activity and suspicious /tmp executions.
🔴 China-Linked Red Menshen Deploys BPFDoor "Sleeper Cells" in Telecom Networks
⚠️ ONGOING ESPIONAGE CAMPAIGN — Telecom & Government Targets
Red Menshen (Earth Bluecrow / DecisiveArchitect) has embedded kernel-level BPFDoor implants in telecom networks across the Middle East and Asia since 2021, enabling covert government surveillance.
Rapid7 Labs has published a comprehensive analysis of an ongoing espionage campaign by Red Menshen, a China-nexus threat group that has been embedding itself inside telecom networks to spy on government communications. Rapid7 describes the access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications infrastructure.
BPFDoor — The Invisible Backdoor
Unlike conventional malware, BPFDoor does not open listening ports or maintain visible C2 channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the Linux kernel. It activates only when it receives a specifically crafted "magic" trigger packet — otherwise it's completely invisible to network monitoring.
| Component | Function |
|---|---|
| BPFDoor Implant | Passive backdoor with kernel-level BPF filter; spawns reverse shell on magic packet |
| BPFDoor Controller | Attacker-operated tool that sends crafted trigger packets; can masquerade as system processes |
| CrossC2 / Sliver | Post-exploitation beacon frameworks for lateral movement |
| TinyShell | Unix backdoor for persistent command execution |
| Credential harvesters | Keyloggers and brute-force utilities for lateral movement |
Telecom-Specific Capabilities
Certain BPFDoor variants support SCTP (Stream Control Transmission Protocol), a protocol used in telecom signaling (SS7/Diameter). This potentially enables Red Menshen to:
- Monitor subscriber behavior and location data
- Track specific individuals of interest through telecom metadata
- Intercept government communications traversing the compromised network
- Move laterally between internal telecom systems using the controller's LAN capabilities
New Evasion Variant
A previously undocumented BPFDoor variant conceals its trigger packet within seemingly legitimate HTTPS traffic, with a novel parsing mechanism requiring the string "9999" at a fixed byte offset. This makes it even harder for network security tools to distinguish BPFDoor activation from normal encrypted web traffic.
🔗 Initial Access Vectors
Red Menshen targets internet-facing infrastructure from Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts — a who's-who of enterprise edge devices. Telecom providers should prioritize patching all edge appliances and hunt for passive BPF filters on Linux systems.
🟠 Ajax Amsterdam Hack Exposes 300K+ Fan Accounts, 42K Season Tickets at Risk
AFC Ajax, one of European football's most storied clubs (four-time Champions League winners, 36 Eredivisie titles), has disclosed a data breach after a hacker exploited vulnerabilities in its IT systems.
What Was Exposed
- 300,000+ accounts with fan details accessible via APIs and shared keys
- 42,000 season tickets that could be transferred to arbitrary people in seconds
- 538 stadium bans that could be viewed and modified (including names, emails, dates of birth)
- VIP season tickets — journalists demonstrated reassigning one in under a minute
Responsible Disclosure Path
In an unusual twist, the hacker chose to disclose the vulnerabilities to RTL journalists rather than exploit them for profit. RTL independently verified the flaws and demonstrated the ticket hijacking capability live. Ajax confirmed that no data was leaked externally and that all identified vulnerabilities have since been patched.
The Dutch Data Protection Authority and police have been notified. An external forensics team has been engaged to determine root cause and full scope.
⚽ Fan advisory: Ajax supporters who have registered with the club's systems or hold season tickets should watch for suspicious emails or communications impersonating AFC Ajax. The club confirmed that the exposed data has not been leaked, but the full investigation is ongoing.
🟡 Windows 11 KB5079391 — Smart App Control & Display Improvements
Microsoft has released the KB5079391 preview cumulative update for Windows 11 24H2 and 25H2, featuring 29 changes including notable security-adjacent improvements:
- Smart App Control (SAC) improvements — Enhanced detection of unsigned and untrusted applications, including better handling of scripts and macro-enabled documents
- Display improvements — Better HDR calibration and multi-monitor handling
- 29 total changes — Including reliability fixes across multiple subsystems
Smart App Control is Microsoft's reputation-based application control feature that blocks untrusted software. The improvements tighten the net around unsigned executables — particularly relevant given the rise of Nuitka-compiled and PyInstaller-wrapped malware payloads like Infinity Stealer.
📋 Update note: This is an optional preview update. It will be included in the April 2026 Patch Tuesday release. Organizations running Windows 11 24H2/25H2 can deploy early via WSUS or Intune for testing.
📋 Patch Priorities & Action Items
| Priority | Action | Target |
|---|---|---|
| CRITICAL | Hunt for BPFDoor implants on Linux systems (check BPF filters) | Telecom / critical infrastructure |
| CRITICAL | Patch all edge appliances (Ivanti, Cisco, Juniper, Fortinet, PAN-OS) | Network/perimeter teams |
| HIGH | Deploy endpoint monitoring for ClickFix/Terminal abuse on macOS | macOS fleet admins |
| HIGH | Block update-check[.]com and related Infinity Stealer IOCs | SOC / DNS filtering |
| MEDIUM | Test Windows 11 KB5079391 (Smart App Control improvements) | Windows admins |
| MEDIUM | Review API security and shared key practices (Ajax-style exposure) | Web application teams |