A newly documented macOS infostealer dubbed ClickLock is using an unusually aggressive tactic to force victims into surrendering their system passwords. Rather than relying solely on fake login prompts, the malware repeatedly terminates core macOS applications until users give in and enter their credentials.
Researchers at Group-IB discovered the malware during an investigation into a previously undocumented campaign targeting macOS users. The operation has reportedly been active since May 2026, affecting at least 100 victims across 33 countries, with more than half of the observed victims located in Europe. The researchers believe the malware is still under active development.
ClickFix lure turns into desktop lockdown
According to Group-IB, the attack begins with a ClickFix social engineering page that instructs victims to copy and paste a command into Terminal under the guise of completing a Cloudflare verification or browser check. ClickFix-style attacks have become increasingly common across Windows and macOS environments, with threat actors abusing fake verification pages to trick users into executing malicious commands.
Once executed, the shell script displays a fake verification animation while downloading additional malware components in the background. Victims are then presented with a convincing macOS password prompt that uses their actual username and validates any password entered before transmitting it to the attackers.
If the victim dismisses the prompt instead of entering their password, ClickLock installs persistence using LaunchAgents and quietly exits. The real coercion begins after the next login.
The malware repeatedly kills Finder, Dock, Spotlight, Terminal, Activity Monitor, web browsers, and other visible processes roughly every 210 milliseconds, leaving the password prompt as one of the few remaining interactive elements on the screen. The disruption can continue for hours, effectively making the system unusable until the victim complies.
Group-IB described the behavior as a form of forced interaction malware, noting that continuously terminating user applications has no legitimate purpose and appears designed solely to pressure victims into revealing their credentials.

Credential theft extends well beyond the login password
After obtaining the victim’s password, ClickLock begins harvesting a wide range of sensitive information. Researchers found the malware targets browser credentials and cookies, cryptocurrency wallet extensions, desktop wallet applications, password manager extensions, macOS Keychain data, shell history, and FileZilla credentials.
The malware also attempts to extract Chrome’s Safe Storage encryption key from the macOS Keychain. Possession of this key allows attackers to decrypt Chrome’s stored passwords and cookies offline after exfiltrating the browser databases.
In addition to stealing credentials, the malware installs a modified GSocket-based backdoor that provides persistent remote access, allowing attackers to maintain control of the compromised system even after the visible disruption has ended.
VirusTotal detections have started to appear
When Group-IB analyzed the original shell script, the sample reportedly had no antivirus detections on VirusTotal. Since the publication of the research, detections have begun to emerge.
At the time of writing, VirusTotal showed a single detection for the sample, with ESET-NOD32 identifying it as OSX/TrojanDownloader.Agent.CY. While most antivirus engines had not yet classified the sample, the updated detection suggests vendors have begun adding signatures following public disclosure.

OSX/TrojanDownloader.Agent.CY. View the sample on VirusTotal.Defenders should watch for unusual process killing
Although ClickLock uses social engineering rather than exploiting a macOS vulnerability, its persistence and coercion techniques make it stand out from many recent macOS infostealers.
Organizations should educate users that legitimate websites never require Terminal commands to complete CAPTCHA or Cloudflare verification challenges. Security teams should also monitor for unexpected LaunchAgents, repeated killall or pkill activity targeting Finder, Dock, Terminal, or Activity Monitor, suspicious access to the macOS Keychain, and outbound connections shortly after Terminal executes unfamiliar shell scripts.
If a user entered their password into a suspicious prompt, defenders should assume browser credentials, authentication cookies, cryptocurrency wallets, and stored passwords may have been compromised. Passwords should be changed immediately, active browser sessions revoked, and affected systems thoroughly investigated for persistence.












