Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1925+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. ClickLock: New macOS Stealer Kills Every App Until You Type Your Password
ClickLock: New macOS Stealer Kills Every App Until You Type Your Password
NEWS

ClickLock: New macOS Stealer Kills Every App Until You Type Your Password

Group-IB researchers discovered ClickLock, a macOS infostealer that uses ClickFix social engineering to install a kill loop firing pkill every 210ms — trapping victims into surrendering their system password to restore their desktop.

Dylan H.

News Desk

July 16, 2026
5 min read

A newly discovered macOS infostealer dubbed ClickLock takes a uniquely aggressive approach to credential theft: rather than silently harvesting data in the background, it repeatedly kills every visible application on the system — every 210 milliseconds, for up to 83 hours — leaving the victim with a non-functional desktop and a single password prompt standing between them and their normal workflow.

Discovered by Group-IB Threat Intelligence, the malware was first uploaded to VirusTotal on June 9, 2026 with zero detections. It has been active since approximately May 2026 and shows signs of ongoing active development.

ClickFix Entry Point

ClickLock's infection chain begins with a ClickFix social engineering lure — a fake Cloudflare CAPTCHA or verification page that instructs the victim to open macOS Terminal and paste a command to "verify" their browser session. Once executed, the malicious shell script:

  • Disables Ctrl+C keyboard interrupts and hides the terminal cursor
  • Plays a fake Cloudflare verification progress animation for approximately 10 seconds
  • Silently downloads four payloads from two compromised WordPress sites

No exploit or elevated privilege is required. The entire compromise hinges on a single moment of social engineering.

The Kill Loop

On the next login session, ClickLock's most distinctive behavior activates. The malware fires pkill and killall bursts every 210 milliseconds, repeatedly terminating:

  • Finder and Dock
  • Spotlight and SystemUIServer
  • Terminal and Activity Monitor
  • NotificationCenter
  • All major web browsers

The macOS desktop becomes effectively unusable. The only thing that remains is a password prompt — styled to impersonate a legitimate macOS system dialog, complete with a downloaded Apple icon and the victim's real username — that validates the entered password against the local directory service (dscl) before transmitting it. If the victim enters an incorrect password or dismisses the dialog, the kill loop continues until either the correct password is submitted or 83 hours elapse.

Group-IB notes this forced-interaction technique "has no known legitimate use case" in macOS security tooling.

What Gets Stolen

Once the system password is captured, the stealer modules execute and exfiltrate:

CategoryScope
Browsers8 Chromium-based and other browsers
Crypto wallet extensions31 browser extensions
Password manager extensions7 browser extensions
Desktop crypto wallet apps8 applications
macOS KeychainFull contents
Chrome Safe Storage keyAES key enabling offline credential decryption
Shell historyComplete .bash_history / .zsh_history
FTP credentialsAny stored credentials

All exfiltrated data is archived and sent to a Telegram bot controlled by the attackers.

After exfiltration, the stealer components unload their own LaunchAgents and delete themselves — and forge file timestamps against ~/Movies to disrupt forensic timeline analysis.

Persistent Backdoor

One component intentionally survives cleanup: a modified build of GSocket (an open-source encrypted tunneling tool) named internally as "goyim". It:

  • Runs under the process name SystemUIServerl (trailing lowercase l, mimicking the legitimate SystemUIServer)
  • Resides in ~/Library/Application Support/iCloudsync
  • Connects to operator relay at gsnc[.]eu:67 via encrypted tunnel
  • Persists across reboots via a remaining LaunchAgent

The attacker maintains persistent shell access to the compromised machine while it appears fully normal to the user.

Scale and Victimology

Group-IB confirmed at least 100 victims across 33 countries, with over 50% in Europe and additional victims in North America, the Middle East, and Africa. The targeting profile suggests financially motivated actors focused on regions with high macOS adoption and cryptocurrency usage.

Defense

The single point of prevention is refusing to paste commands from any website into Terminal. No legitimate service requires Terminal command execution to verify a browser session or CAPTCHA.

Apple added a Terminal warning in macOS Tahoe 26.4 specifically to counter ClickFix-style attacks.

If your desktop apps are repeatedly closing:

  1. Do not enter your password.
  2. Hold the power button to force-shut down.
  3. Boot into Safe Mode (hold Shift on Intel; hold power → Safe Mode on Apple Silicon).
  4. Remove LaunchAgents from ~/Library/LaunchAgents/ and ~/Library/Application Support/iCloudsync.

If the password was already entered:

  • Immediately isolate the machine from the network.
  • Assume full credential compromise — reset all passwords, revoke sessions, block payment cards.
  • Hunt and remove the SystemUIServerl process and its GSocket installation in ~/Library/Application Support/iCloudsync.
  • Engage incident response for a full forensic investigation.

Indicators of Compromise

IOCType
gsnc[.]eu:67C2 relay
~/Library/Application Support/iCloudsyncBackdoor install path
Process SystemUIServerlTyposquat process name
$HOME/.cacheb/Payload staging directory

Full IOC list including file hashes and YARA rules is available in the Group-IB ClickLock blog post.

Sources

  • Group-IB — ClickLock Stealer: Paste Once, Lose Everything
  • BleepingComputer — New ClickLock macOS malware traps users into revealing login password
  • The Hacker News — ClickLock macOS Stealer Kills Apps Every 210ms
  • The Register — C'mon, just paste this into Terminal
#Malware#macOS#ClickFix#Infostealer#BleepingComputer#Group-IB

Related Articles

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

A newly observed ClickFix campaign impersonates Cloudflare's CAPTCHA verification pages to deliver the Python-based Infiniti Stealer to macOS users via a...

4 min read

New Infinity Stealer Malware Grabs macOS Data via ClickFix

A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka...

5 min read

Claude AI Artifacts Abused to Distribute macOS Infostealer

Threat actors are abusing publicly shared Claude AI artifacts and Google Ads to deliver the MacSync infostealer to macOS users through ClickFix social...

3 min read
Back to all News