ClickLock Malware Kills macOS Apps Until Victims Reveal Their Passwords

Researchers have uncovered ClickLock, a new macOS infostealer that repeatedly kills running applications until victims enter their login password.
Editorial illustration depicting ClickLock malware on macOS, showing a fake system password prompt while multiple applications appear to crash or disappear around it.
Illustration of the ClickLock malware's coercion technique, where a fake macOS password prompt remains on screen as core applications repeatedly crash, pressuring victims into revealing their login credentials.

A newly documented macOS infostealer dubbed ClickLock is using an unusually aggressive tactic to force victims into surrendering their system passwords. Rather than relying solely on fake login prompts, the malware repeatedly terminates core macOS applications until users give in and enter their credentials.

Researchers at Group-IB discovered the malware during an investigation into a previously undocumented campaign targeting macOS users. The operation has reportedly been active since May 2026, affecting at least 100 victims across 33 countries, with more than half of the observed victims located in Europe. The researchers believe the malware is still under active development.

ClickFix lure turns into desktop lockdown

According to Group-IB, the attack begins with a ClickFix social engineering page that instructs victims to copy and paste a command into Terminal under the guise of completing a Cloudflare verification or browser check. ClickFix-style attacks have become increasingly common across Windows and macOS environments, with threat actors abusing fake verification pages to trick users into executing malicious commands.

Once executed, the shell script displays a fake verification animation while downloading additional malware components in the background. Victims are then presented with a convincing macOS password prompt that uses their actual username and validates any password entered before transmitting it to the attackers.

If the victim dismisses the prompt instead of entering their password, ClickLock installs persistence using LaunchAgents and quietly exits. The real coercion begins after the next login.

The malware repeatedly kills Finder, Dock, Spotlight, Terminal, Activity Monitor, web browsers, and other visible processes roughly every 210 milliseconds, leaving the password prompt as one of the few remaining interactive elements on the screen. The disruption can continue for hours, effectively making the system unusable until the victim complies.

Group-IB described the behavior as a form of forced interaction malware, noting that continuously terminating user applications has no legitimate purpose and appears designed solely to pressure victims into revealing their credentials.

Diagram illustrating the ClickLock malware attack chain, showing ClickFix delivery, Terminal command execution, password theft, data exfiltration, and installation of persistent remote access on macOS.
ClickLock attack chain from initial ClickFix social engineering through credential theft, browser and cryptocurrency wallet data collection, and persistent access via a GSocket-based backdoor. Image credit: Group-IB. Original research: ClickLock Stealer: Paste Once, Lose Everything.

Credential theft extends well beyond the login password

After obtaining the victim’s password, ClickLock begins harvesting a wide range of sensitive information. Researchers found the malware targets browser credentials and cookies, cryptocurrency wallet extensions, desktop wallet applications, password manager extensions, macOS Keychain data, shell history, and FileZilla credentials.

The malware also attempts to extract Chrome’s Safe Storage encryption key from the macOS Keychain. Possession of this key allows attackers to decrypt Chrome’s stored passwords and cookies offline after exfiltrating the browser databases.

In addition to stealing credentials, the malware installs a modified GSocket-based backdoor that provides persistent remote access, allowing attackers to maintain control of the compromised system even after the visible disruption has ended.

VirusTotal detections have started to appear

When Group-IB analyzed the original shell script, the sample reportedly had no antivirus detections on VirusTotal. Since the publication of the research, detections have begun to emerge.

At the time of writing, VirusTotal showed a single detection for the sample, with ESET-NOD32 identifying it as OSX/TrojanDownloader.Agent.CY. While most antivirus engines had not yet classified the sample, the updated detection suggests vendors have begun adding signatures following public disclosure.

VirusTotal analysis page showing the ClickLock shell script with a single antivirus detection from ESET-NOD32 identifying it as OSX/TrojanDownloader.Agent.CY.
VirusTotal detection results for the ClickLock shell script. When Group-IB analyzed the sample, it reportedly had no antivirus detections. At the time this screenshot was captured, VirusTotal showed one detection, with ESET-NOD32 identifying the sample as OSX/TrojanDownloader.Agent.CY. View the sample on VirusTotal.

Defenders should watch for unusual process killing

Although ClickLock uses social engineering rather than exploiting a macOS vulnerability, its persistence and coercion techniques make it stand out from many recent macOS infostealers.

Organizations should educate users that legitimate websites never require Terminal commands to complete CAPTCHA or Cloudflare verification challenges. Security teams should also monitor for unexpected LaunchAgents, repeated killall or pkill activity targeting Finder, Dock, Terminal, or Activity Monitor, suspicious access to the macOS Keychain, and outbound connections shortly after Terminal executes unfamiliar shell scripts.

If a user entered their password into a suspicious prompt, defenders should assume browser credentials, authentication cookies, cryptocurrency wallets, and stored passwords may have been compromised. Passwords should be changed immediately, active browser sessions revoked, and affected systems thoroughly investigated for persistence.

Sources

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map