Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1929+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. ClickLock: New macOS Infostealer Kills Apps Every 210ms to Force Password Entry
ClickLock: New macOS Infostealer Kills Apps Every 210ms to Force Password Entry
NEWS

ClickLock: New macOS Infostealer Kills Apps Every 210ms to Force Password Entry

Group-IB researchers discovered ClickLock, a new macOS infostealer distributed via ClickFix lures that terminates all visible system processes in a loop until the victim surrenders their login password — with zero AV detections at discovery.

Dylan H.

News Desk

July 17, 2026
5 min read

Overview

Security researchers at Group-IB have published a detailed analysis of ClickLock, a previously undocumented macOS information-stealing malware that uses an unusually aggressive coercion technique: it forcibly terminates all visible system processes — Finder, Dock, browsers, and more — every 210 milliseconds, leaving victims with a dead desktop and a single password dialog until they surrender their login credentials.

The malware was discovered after a malicious shell script was uploaded to VirusTotal on June 9, 2026. At the time of analysis, it registered zero detections across all AV vendors on the platform. Researchers believe ClickLock has been active since approximately May 2026 and has already claimed at least 100 victims across 33 countries, with over half in Europe.

How ClickLock Works

Step 1 — ClickFix Initial Access

ClickLock is distributed almost exclusively via ClickFix lures — fake browser-based alerts that impersonate Cloudflare CAPTCHA pages or browser error dialogs. Victims are prompted to open macOS Terminal and paste a one-line command to "fix" the issue. The payload is hosted on compromised WordPress sites with clean URL reputations that bypass most web filters.

Step 2 — Execution and Evasion

The moment the terminal command runs:

  • Keyboard interrupts (Ctrl+C) are disabled, preventing termination
  • The Terminal cursor is hidden
  • A fake Cloudflare-style progress animation plays while payloads download in the background
  • macOS Notification Center is suppressed for six hours to prevent any system alerts from tipping off the victim

Step 3 — The Kill Loop

If the victim dismisses the password dialog or doesn't respond, ClickLock enters its defining coercion loop:

  • Every 210 milliseconds, it forcibly kills Finder, the Dock, Spotlight, Terminal, Activity Monitor, and all major browsers
  • The victim is left with a completely non-functional desktop — only the password prompt remains
  • The loop continues for up to 300,000 seconds (approximately 83 hours)

A parallel LaunchAgent runs a second kill loop with a 200ms interval that can persist for up to 35 days, targeting keychain access alongside the process kills.

Step 4 — Credential Validation and Theft

ClickLock does not simply capture whatever the user types. Any password entered is validated against macOS's own dscl /Local/Default -authonly command — only a correct working password is accepted and exfiltrated. Invalid guesses are silently rejected, forcing the victim to try again.

The password prompt itself is sophisticated: it uses the victim's real macOS username (pulled from the system) and a downloaded Apple logo icon, making it visually indistinguishable from a legitimate system dialog.

Step 5 — Data Exfiltration

Once credentials are captured, ClickLock deploys multiple parallel theft modules:

TargetDetails
Browsers8 browsers targeted
Crypto wallet extensions31 browser extensions
Password manager extensions7 extensions
Desktop wallet apps8 applications
Blockchain wallets6 chains
macOS KeychainFull keychain dump
Chromium Safe StorageEnables offline decryption of all stored passwords
Shell historyTerminal command history
FTP credentialsStored FTP logins

All stolen data is archived and sent via three Telegram bots — no dedicated C2 infrastructure, everything routes through Telegram's trusted endpoints.

Step 6 — Persistence and Remote Access

  • LaunchAgents are installed to survive reboots, resuming the attack at next login if credentials haven't been captured yet
  • A modified version of the open-source GSocket tool is deployed, giving operators an interactive remote shell on the compromised host
  • Modules self-delete after execution, leaving minimal forensic artifacts

Why This Is Difficult to Detect

ClickLock has several characteristics that make it particularly hard to catch:

  • Zero AV detections at discovery despite active deployment since May
  • Payloads hosted on legitimate compromised domains — reputation-based blocking is ineffective
  • All modules self-delete post-execution
  • Exfiltration through Telegram (commonly whitelisted as a business communication tool)
  • No kernel exploits or privilege escalation — operates entirely in user space

Indicators of Compromise

  • Hidden directory at $HOME/.cacheb/ — staging location for downloaded payloads
  • Unexpected LaunchAgent entries in ~/Library/LaunchAgents/
  • Outbound connections to Telegram API endpoints from unexpected processes
  • Presence of a modified GSocket binary

Full IOC hashes, domains, and IP addresses are available through Group-IB Threat Intelligence.

Defensive Guidance

For users:

  1. Never paste commands into Terminal from a website — no legitimate service, including Cloudflare, will ever ask you to do this
  2. If applications suddenly start closing and an unexpected password dialog appears, do NOT enter your password — hold the power button for a hard shutdown
  3. After a suspicious incident, boot into Safe Mode and check ~/Library/LaunchAgents/ for unknown entries
  4. Use Little Snitch or another outbound firewall to monitor for unexpected Telegram API connections

For organizations with macOS fleets:

  • Deploy endpoint security capable of detecting LaunchAgent modifications
  • Consider restricting Terminal access for non-technical users via MDM policy
  • Monitor for dscl command execution in audit logs, which may indicate credential validation attempts

References

  • Group-IB — ClickLock Stealer: Paste Once, Lose Everything
  • BleepingComputer — New ClickLock macOS malware traps users into revealing login password
  • The Hacker News — New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
  • Infosecurity Magazine — Modular macOS Stealer Uses Kill Loops to Force Password Entry
#Malware#macOS#ClickLock#Infostealer#ClickFix#Group-IB#Threat Intelligence

Related Articles

ClickLock: New macOS Stealer Kills Every App Until You Type Your Password

Group-IB researchers discovered ClickLock, a macOS infostealer that uses ClickFix social engineering to install a kill loop firing pkill every 210ms — trapping victims into surrendering their system password to restore their desktop.

5 min read

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

Jamf Threat Labs has discovered PamStealer, a sophisticated two-stage macOS infostealer that impersonates the Maccy clipboard manager, delivers a...

6 min read

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

A newly observed ClickFix campaign impersonates Cloudflare's CAPTCHA verification pages to deliver the Python-based Infiniti Stealer to macOS users via a...

4 min read
Back to all News