剣 KENSAI
← All posts · security · 2026-03-28 · 6 min

Infinity Stealer Hits macOS via ClickFix, China's Red Menshen Embeds BPFDoor in Telecom Networks, Ajax Amsterdam Fan Data Breach

A new macOS info-stealer called Infinity uses ClickFix fake-CAPTCHA lures and Nuitka-compiled Python to evade detection. China-linked Red Menshen embeds kernel-level BPFDoor implants deep in telecom networks as "digital sleeper cells" for government espionage. AFC Ajax Amsterdam discloses a breach exposing 300,000+ fan accounts and 42,000 season tickets. Microsoft rolls out Smart App Control improvements in Windows 11.


🔴 Infinity Stealer — New macOS Malware Uses ClickFix and Nuitka Evasion

⚠️ ACTIVE THREAT — macOS Users at Risk

A new info-stealer named Infinity targets macOS systems using ClickFix social engineering lures. The malware is compiled with Nuitka, making it significantly harder to detect via static analysis than typical Python-based stealers.

Researchers at Malwarebytes have documented the first macOS campaign combining ClickFix delivery with a Nuitka-compiled Python infostealer. The attack represents a significant evolution in macOS threat sophistication.

Attack Chain

  1. ClickFix lure: The victim visits update-check[.]com, which presents a fake Cloudflare CAPTCHA asking the user to paste a base64-obfuscated curl command into the macOS Terminal
  2. Stage-1 Bash script: The decoded command writes the Nuitka loader to /tmp, removes the quarantine flag via xattr, and executes it with nohup. It passes C2 and token information via environment variables, then self-destructs
  3. Stage-2 Nuitka loader: An 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive with the final payload (UpdateHelper.bin)
  4. Stage-3 Infinity Stealer: Python 3.11 payload that performs anti-VM checks, then harvests credentials and exfiltrates via HTTP POST with Telegram notification

What Infinity Steals

Why Nuitka Matters

Unlike PyInstaller, which bundles Python bytecode that's relatively easy to reverse-engineer, Nuitka compiles Python to C code and then produces a genuine native binary. There's no obvious bytecode layer to decompile, making reverse engineering substantially harder and rendering many AV heuristics that flag PyInstaller bundles completely ineffective.

🛡️ Defense: Never paste commands from websites into Terminal. Cloudflare CAPTCHAs never require Terminal commands. macOS users should consider endpoint detection tools that monitor xattr -d com.apple.quarantine activity and suspicious /tmp executions.


🔴 China-Linked Red Menshen Deploys BPFDoor "Sleeper Cells" in Telecom Networks

⚠️ ONGOING ESPIONAGE CAMPAIGN — Telecom & Government Targets

Red Menshen (Earth Bluecrow / DecisiveArchitect) has embedded kernel-level BPFDoor implants in telecom networks across the Middle East and Asia since 2021, enabling covert government surveillance.

Rapid7 Labs has published a comprehensive analysis of an ongoing espionage campaign by Red Menshen, a China-nexus threat group that has been embedding itself inside telecom networks to spy on government communications. Rapid7 describes the access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications infrastructure.

BPFDoor — The Invisible Backdoor

Unlike conventional malware, BPFDoor does not open listening ports or maintain visible C2 channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the Linux kernel. It activates only when it receives a specifically crafted "magic" trigger packet — otherwise it's completely invisible to network monitoring.

ComponentFunction
BPFDoor ImplantPassive backdoor with kernel-level BPF filter; spawns reverse shell on magic packet
BPFDoor ControllerAttacker-operated tool that sends crafted trigger packets; can masquerade as system processes
CrossC2 / SliverPost-exploitation beacon frameworks for lateral movement
TinyShellUnix backdoor for persistent command execution
Credential harvestersKeyloggers and brute-force utilities for lateral movement

Telecom-Specific Capabilities

Certain BPFDoor variants support SCTP (Stream Control Transmission Protocol), a protocol used in telecom signaling (SS7/Diameter). This potentially enables Red Menshen to:

New Evasion Variant

A previously undocumented BPFDoor variant conceals its trigger packet within seemingly legitimate HTTPS traffic, with a novel parsing mechanism requiring the string "9999" at a fixed byte offset. This makes it even harder for network security tools to distinguish BPFDoor activation from normal encrypted web traffic.

🔗 Initial Access Vectors

Red Menshen targets internet-facing infrastructure from Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts — a who's-who of enterprise edge devices. Telecom providers should prioritize patching all edge appliances and hunt for passive BPF filters on Linux systems.


🟠 Ajax Amsterdam Hack Exposes 300K+ Fan Accounts, 42K Season Tickets at Risk

AFC Ajax, one of European football's most storied clubs (four-time Champions League winners, 36 Eredivisie titles), has disclosed a data breach after a hacker exploited vulnerabilities in its IT systems.

What Was Exposed

Responsible Disclosure Path

In an unusual twist, the hacker chose to disclose the vulnerabilities to RTL journalists rather than exploit them for profit. RTL independently verified the flaws and demonstrated the ticket hijacking capability live. Ajax confirmed that no data was leaked externally and that all identified vulnerabilities have since been patched.

The Dutch Data Protection Authority and police have been notified. An external forensics team has been engaged to determine root cause and full scope.

⚽ Fan advisory: Ajax supporters who have registered with the club's systems or hold season tickets should watch for suspicious emails or communications impersonating AFC Ajax. The club confirmed that the exposed data has not been leaked, but the full investigation is ongoing.


🟡 Windows 11 KB5079391 — Smart App Control & Display Improvements

Microsoft has released the KB5079391 preview cumulative update for Windows 11 24H2 and 25H2, featuring 29 changes including notable security-adjacent improvements:

Smart App Control is Microsoft's reputation-based application control feature that blocks untrusted software. The improvements tighten the net around unsigned executables — particularly relevant given the rise of Nuitka-compiled and PyInstaller-wrapped malware payloads like Infinity Stealer.

📋 Update note: This is an optional preview update. It will be included in the April 2026 Patch Tuesday release. Organizations running Windows 11 24H2/25H2 can deploy early via WSUS or Intune for testing.


📋 Patch Priorities & Action Items

PriorityActionTarget
CRITICALHunt for BPFDoor implants on Linux systems (check BPF filters)Telecom / critical infrastructure
CRITICALPatch all edge appliances (Ivanti, Cisco, Juniper, Fortinet, PAN-OS)Network/perimeter teams
HIGHDeploy endpoint monitoring for ClickFix/Terminal abuse on macOSmacOS fleet admins
HIGHBlock update-check[.]com and related Infinity Stealer IOCsSOC / DNS filtering
MEDIUMTest Windows 11 KB5079391 (Smart App Control improvements)Windows admins
MEDIUMReview API security and shared key practices (Ajax-style exposure)Web application teams