VYPR
researchPublished Jul 16, 2026· 1 source

ClickLock Stealer Tricks macOS Users into Self-Pwnage via Terminal

A new macOS information stealer, ClickLock Stealer, uses social engineering to trick users into pasting malicious commands into Terminal, leading to theft of sensitive data and system control.

A novel information stealer targeting macOS users, dubbed ClickLock Stealer, has emerged, eschewing traditional exploit techniques in favor of sophisticated social engineering. Instead of hunting for software vulnerabilities, the malware persuades victims to execute malicious commands directly within their Terminal application, effectively leading them to compromise their own systems. This operation, detailed by threat intelligence firm Group-IB, has been active since approximately May and has already impacted over 100 victims across 33 countries, with a significant concentration in Europe.

The attackers behind ClickLock Stealer employ a multi-stage approach to lure unsuspecting users. They reportedly distribute the malware via fake verification pages that utilize the ClickFix social engineering technique, a method designed to trick users into performing actions that compromise their security. The actual malware payloads are hosted on compromised WordPress sites, and the operation leverages Telegram infrastructure for command-and-control (C2) communications, allowing for discreet management of infected systems.

Upon tricking a victim into pasting a command into Terminal, the malware initiates a deceptive Cloudflare verification sequence. This sequence includes a fake progress animation, designed to mask the malware's true activities. While the user believes they are completing a legitimate verification, the stealer quietly downloads additional malicious components necessary for its full functionality. This reliance on user interaction bypasses the need for elevated privileges or known software exploits, making it a potent threat.

ClickLock Stealer is designed to exfiltrate a wide array of sensitive information. Its targets include data from eight different web browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, and eight desktop wallet applications. Furthermore, it aims to steal credentials from macOS Keychain, shell history, FTP clients, and blockchain addresses across six different chains. The malware also incorporates a modified version of the open-source GSocket tool, granting attackers remote access capabilities.

The most insidious feature of ClickLock Stealer is its coercive "locker" mechanism. If a victim refuses to provide their macOS login password when prompted during the fake verification process, the malware begins to repeatedly terminate visible applications. This action effectively renders the machine unusable, preventing normal operation and pressuring the user to comply. If the password is provided, the data theft proceeds without further user intervention. For persistence, the malware includes mechanisms designed to resume the attack even after a system reboot.

Group-IB's analysis suggests that the malware is still under active development, with its code structure and other artifacts indicating ongoing efforts to expand its capabilities. This continuous evolution poses a persistent threat to macOS users who may fall prey to the deceptive tactics employed by the attackers.

Defending against ClickLock Stealer requires a shift in focus from traditional signature-based detection to behavioral analysis. Security professionals and end-users should be vigilant for unusual password prompts, applications being unexpectedly closed, unauthorized access to browser and credential data, and suspicious network connections to Telegram. The core advice for users remains simple: if any website asks you to open Terminal and paste commands, it is almost certainly malicious and should be immediately closed.

Synthesized by Vypr AI