VYPR
researchPublished Jul 16, 2026· 2 sources

ClickLock Stealer Locks macOS Users Out, Demands Password

A new macOS stealer named ClickLock employs a novel 'kill loop' to repeatedly terminate essential system processes, forcing users to enter their administrator password to regain control, which the malware then steals.

A novel macOS information stealer, dubbed ClickLock Stealer, has emerged, employing a sophisticated 'kill loop' technique to lock victims out of their systems and coerce them into surrendering their administrator passwords. The malware, detailed in recent research by Group-IB, has already impacted at least 100 victims across 33 countries in approximately two months, with a significant concentration in Europe.

The attack chain begins with social engineering, often luring victims to paste a command into their macOS Terminal, a tactic similar to the 'ClickFix' lures seen previously. Once executed, an orchestrator script hides the cursor and displays a fake Cloudflare progress animation while downloading four distinct components from compromised WordPress websites. These components are designed for various malicious purposes, including credential theft, cryptocurrency exfiltration, and establishing a persistent backdoor.

Two modules focus on stealing credentials. One targets the macOS Keychain, specifically querying for the Chrome Safe Storage key to decrypt stored cookies and passwords. The other presents a fake password dialog box, validated against the local directory service, ensuring only legitimate passwords are captured and sent to the operator. A third module is dedicated to cryptocurrency theft, iterating through over 30 wallet extensions like MetaMask and Phantom, and extracting encrypted vault data.

The fourth component installs GSocket, an open-source reverse-shell tool that is disguised as a legitimate iCloud process on macOS, providing the attacker with persistent remote access. If the victim enters their password upon the initial prompt, the stealer captures it along with system fingerprinting data. If the victim cancels, the orchestrator ensures the credential modules are relaunched on subsequent logins by installing two LaunchAgents.

The core of ClickLock's disruptive capability lies in its 'kill loop.' This routine aggressively terminates critical system processes such as Finder, Dock, web browsers, Terminal, and Activity Monitor in rapid succession. This loop can persist for up to 83 hours, rendering the system virtually unusable and creating a high-stress environment for the victim. Concurrently, another loop targets NotificationCenter for approximately six hours to suppress security warnings from Gatekeeper.

Data exfiltration is handled discreetly via Telegram, utilizing three bots without a dedicated command-and-control server. To evade detection and analysis, the malware modules forge timestamps and self-delete after their operation, leaving behind only the GSocket backdoor. This modular approach and the aggressive 'kill loop' mechanism represent a significant evolution in macOS malware tactics.

The emergence of ClickLock Stealer aligns with a broader trend of increasingly sophisticated threats targeting the macOS ecosystem. Recent reports have highlighted other macOS stealers like Atomic macOS Stealer (AMOS) and CrashStealer, which also employ deceptive tactics and aim to compromise user credentials and sensitive data. The increasing complexity and modularity of these macOS threats underscore the growing need for robust security measures and user vigilance.

Group-IB advises macOS users to treat any website instructing them to paste commands into Terminal with extreme suspicion. In the event of a system suddenly killing applications, users are recommended to force-shutdown their machine and boot into Safe Mode rather than entering their administrator password, thereby preventing the stealer from capturing their credentials.

This new report details the malware's delivery mechanism, which involves a Terminal command and a fake system dialog to trick users into entering their password. Upon cancellation, it installs persistent LaunchAgents to ensure continuous operation, including a loop that kills applications every 210 milliseconds until the password is provided. The malware also leverages a component that is a near-exact copy of the open-source GSocket tunneling toolkit.

Synthesized by Vypr AI