Infosecurity

ClickLock Stealer: New macOS Malware Locks Your Mac Until You Type Your Password

Published

on

A new macOS stealer called ClickLock Stealer is making the rounds, and it has a nasty trick: it crashes essential apps in a loop until you type your password. Researchers at Group-IB spotted the malware, which combines a classic social engineering lure with a brutal coercion routine.

Published on June 16, the Group-IB report details how ClickLock Stealer has hit at least 100 victims across 33 countries in roughly two months. More than half of those targets are in Europe. The first sample appeared on VirusTotal on June 9 with zero detections.

This isn’t your average info-stealer. It’s modular, aggressive, and designed to make your machine unusable until you give up the goods.

The ClickFix Lure: Paste a Command, Lose Your Data

It all starts with a ClickFix page. Victims are tricked into copying a command and pasting it into Terminal. The page might pretend to be a Cloudflare verification or a browser update. Once pasted, an orchestrator script kicks in.

That script hides the cursor and plays a fake Cloudflare progress animation. Meanwhile, it downloads four separate components from two compromised WordPress sites. The user thinks they’re waiting for a verification to complete. In reality, their machine is being armed.

The Four Modules of ClickLock Stealer

The malware is built in pieces, each with a specific job:

  • Keychain stealer: Queries macOS for the Chrome Safe Storage key. That’s the AES key that decrypts passwords and cookies stored in Chrome’s offline database. Once obtained, the attacker can dump everything.
  • Credential module: Pops up a fake password dialog built in AppleScript. Here’s the clever (and terrifying) part: it validates the entered password against the local directory service. If you type the wrong password, the dialog just sits there. Only the correct password gets sent to the operator. No typos allowed.
  • Cryptocurrency module: Scans for more than 30 wallet extensions, including MetaMask and Phantom. It extracts encrypted vault fields from LevelDB storage. Crypto assets are a prime target.
  • GSocket backdoor: Installs an open-source reverse-shell tool, reused with roughly 80% of its original code. On macOS, it disguises itself as an iCloud process. This gives the attacker persistent remote access.

Kill Loops: The Coercion Tactic

If you type your password on the first prompt, the attacker gets it along with a system fingerprint. Game over. But what if you cancel? That’s where the coercion begins.

The orchestrator installs two LaunchAgents. These ensure that both credential modules relaunch every time you log in. Then the kill loops start.

A tight cycle terminates Finder, Dock, browsers, Terminal, and Activity Monitor. This cycle runs for up to 83 hours. Your desktop becomes a frozen mess. You can’t click anything. You can’t open a window. The only way to stop the madness is to type your password.

Meanwhile, a parallel loop kills NotificationCenter for about six hours. This suppresses Gatekeeper warnings. You won’t see the security prompts that might normally alert you to malicious activity.

Everything exfiltrates over Telegram. Three separate Telegram bots handle the stolen data. There’s no dedicated command-and-control server. Modules forge timestamps and delete themselves after execution, leaving only the GSocket backdoor behind.

A Broader Shift in macOS Malware

ClickLock Stealer doesn’t exist in a vacuum. The broader macOS stealer ecosystem is evolving fast. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025. Just this week, Jamf Threat Labs documented CrashStealer, which uses a signed dropper to bypass Gatekeeper entirely.

Attackers are getting more aggressive. They’re not just stealing data quietly anymore. They’re willing to break your machine to get what they want.

How to Protect Yourself

Group-IB has clear advice. Treat any website that instructs you to paste a command into Terminal as an active attack. Legitimate services never ask you to do this.

If your desktop suddenly starts killing applications and you haven’t entered a password, don’t give in. Force-shutdown the machine. Boot into Safe Mode (hold Shift during startup). Run a malware scan. The password you refuse to type is the one that keeps your data safe.

For more on similar threats, read about Atomic Stealer macOS ClickFix attacks that bypass Apple security warnings.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version