Overview
Security researchers at Group-IB have published a detailed analysis of ClickLock, a previously undocumented macOS information-stealing malware that uses an unusually aggressive coercion technique: it forcibly terminates all visible system processes — Finder, Dock, browsers, and more — every 210 milliseconds, leaving victims with a dead desktop and a single password dialog until they surrender their login credentials.
The malware was discovered after a malicious shell script was uploaded to VirusTotal on June 9, 2026. At the time of analysis, it registered zero detections across all AV vendors on the platform. Researchers believe ClickLock has been active since approximately May 2026 and has already claimed at least 100 victims across 33 countries, with over half in Europe.
How ClickLock Works
Step 1 — ClickFix Initial Access
ClickLock is distributed almost exclusively via ClickFix lures — fake browser-based alerts that impersonate Cloudflare CAPTCHA pages or browser error dialogs. Victims are prompted to open macOS Terminal and paste a one-line command to "fix" the issue. The payload is hosted on compromised WordPress sites with clean URL reputations that bypass most web filters.
Step 2 — Execution and Evasion
The moment the terminal command runs:
- Keyboard interrupts (Ctrl+C) are disabled, preventing termination
- The Terminal cursor is hidden
- A fake Cloudflare-style progress animation plays while payloads download in the background
- macOS Notification Center is suppressed for six hours to prevent any system alerts from tipping off the victim
Step 3 — The Kill Loop
If the victim dismisses the password dialog or doesn't respond, ClickLock enters its defining coercion loop:
- Every 210 milliseconds, it forcibly kills Finder, the Dock, Spotlight, Terminal, Activity Monitor, and all major browsers
- The victim is left with a completely non-functional desktop — only the password prompt remains
- The loop continues for up to 300,000 seconds (approximately 83 hours)
A parallel LaunchAgent runs a second kill loop with a 200ms interval that can persist for up to 35 days, targeting keychain access alongside the process kills.
Step 4 — Credential Validation and Theft
ClickLock does not simply capture whatever the user types. Any password entered is validated against macOS's own dscl /Local/Default -authonly command — only a correct working password is accepted and exfiltrated. Invalid guesses are silently rejected, forcing the victim to try again.
The password prompt itself is sophisticated: it uses the victim's real macOS username (pulled from the system) and a downloaded Apple logo icon, making it visually indistinguishable from a legitimate system dialog.
Step 5 — Data Exfiltration
Once credentials are captured, ClickLock deploys multiple parallel theft modules:
| Target | Details |
|---|---|
| Browsers | 8 browsers targeted |
| Crypto wallet extensions | 31 browser extensions |
| Password manager extensions | 7 extensions |
| Desktop wallet apps | 8 applications |
| Blockchain wallets | 6 chains |
| macOS Keychain | Full keychain dump |
| Chromium Safe Storage | Enables offline decryption of all stored passwords |
| Shell history | Terminal command history |
| FTP credentials | Stored FTP logins |
All stolen data is archived and sent via three Telegram bots — no dedicated C2 infrastructure, everything routes through Telegram's trusted endpoints.
Step 6 — Persistence and Remote Access
- LaunchAgents are installed to survive reboots, resuming the attack at next login if credentials haven't been captured yet
- A modified version of the open-source GSocket tool is deployed, giving operators an interactive remote shell on the compromised host
- Modules self-delete after execution, leaving minimal forensic artifacts
Why This Is Difficult to Detect
ClickLock has several characteristics that make it particularly hard to catch:
- Zero AV detections at discovery despite active deployment since May
- Payloads hosted on legitimate compromised domains — reputation-based blocking is ineffective
- All modules self-delete post-execution
- Exfiltration through Telegram (commonly whitelisted as a business communication tool)
- No kernel exploits or privilege escalation — operates entirely in user space
Indicators of Compromise
- Hidden directory at
$HOME/.cacheb/— staging location for downloaded payloads - Unexpected LaunchAgent entries in
~/Library/LaunchAgents/ - Outbound connections to Telegram API endpoints from unexpected processes
- Presence of a modified GSocket binary
Full IOC hashes, domains, and IP addresses are available through Group-IB Threat Intelligence.
Defensive Guidance
For users:
- Never paste commands into Terminal from a website — no legitimate service, including Cloudflare, will ever ask you to do this
- If applications suddenly start closing and an unexpected password dialog appears, do NOT enter your password — hold the power button for a hard shutdown
- After a suspicious incident, boot into Safe Mode and check
~/Library/LaunchAgents/for unknown entries - Use Little Snitch or another outbound firewall to monitor for unexpected Telegram API connections
For organizations with macOS fleets:
- Deploy endpoint security capable of detecting LaunchAgent modifications
- Consider restricting Terminal access for non-technical users via MDM policy
- Monitor for
dsclcommand execution in audit logs, which may indicate credential validation attempts
References
- Group-IB — ClickLock Stealer: Paste Once, Lose Everything
- BleepingComputer — New ClickLock macOS malware traps users into revealing login password
- The Hacker News — New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
- Infosecurity Magazine — Modular macOS Stealer Uses Kill Loops to Force Password Entry