ClickLock stealer hijacks macOS screens to capture user credentials

The attack chain begins with a lure that has become effective across both Windows and macOS over the past year

Must Read

- Advertisement -
- Advertisement -
  • More than half of those victims are in Europe, with additional clusters in North America, the Middle East, and Africa.
  • Modular architecture also makes the malware easy to update — new stealer modules can be deployed server-side without any change to the initial dropper script.

Malware built for macOS has always occupied a strange niche. It needs to be sophisticated enough to bypass Gatekeeper, SIP, and a tightly locked-down Unix core — yet the platform’s single-digit global market share means the financial payoff is rarely worth the effort.

For years, this arithmetic kept Mac-targeted threats rare and, when they did surface, relatively crude. A newly documented sample from Group-IB’s Threat Intelligence team suggests that calculus is shifting.

On June 9, 2026, a malicious shell script was uploaded to VirusTotal. It returned zero detections from every engine on the platform. Group-IB researchers, digging into the sample, found something more elaborate than the usual one-shot credential grabber: a modular stealer with a built-in enforcement mechanism that bullies victims into compliance. They named it ClickLock Stealer.

The ClickFix trap

ClickLock’s attack chain begins with a lure that has become depressingly effective across both Windows and macOS over the past year. The victim lands on a compromised website — Group-IB’s analysis points to WordPress domains that have been hijacked for this purpose — and encounters what appears to be a Cloudflare browser verification page.

It looks professional. It mimics the familiar “checking your browser” animation. And then it asks the user to do something no legitimate Cloudflare page ever asks: open Terminal and paste a command.

That single action is the entire infection vector. ClickLock requires no exploit, no elevated privileges, no zero-day. It asks, and enough people comply.

Once the command is pasted and executed, the script launches a terminal-based loading animation that convincingly mirrors Cloudflare’s progress bar. Behind this visual decoy, the malware begins reaching out to its command-and-control infrastructure — a combination of compromised WordPress sites and Telegram bots — to pull down its modular payload.

The Locker: Compliance through force

What separates ClickLock from the growing crowd of macOS infostealers is its enforcement mechanism. Most malware wants to stay quiet. ClickLock demands attention.

If the victim attempts to close Terminal or otherwise disrupt the infection flow, the malware triggers what Group-IB describes as a “locker” — a loop that kills every visible application every 210 milliseconds until the user complies.

Browser windows vanish. Finder disappears. Any app the user tries to open is terminated before it can render. The machine doesn’t crash, but it becomes functionally unusable for anything except staring at the malware’s password prompt.

That prompt, styled to resemble a macOS system dialog, requests the user’s login password. With the system locked down and no obvious recovery path, many victims enter it. Once they do, the killing stops. The apps reappear. Everything seems normal again. And ClickLock gets to work.

What gets stolen

The stealer’s target list is unusually comprehensive. Group-IB documented modules targeting:

  • Eight browsers, including Chrome, Safari, Firefox, Brave, Edge, and Arc — with a focus on extracting saved credentials, cookies, and the Chrome encryption key
  • Thirty-one crypto wallet extensions, spanning MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and virtually every other major browser-based wallet
  • Seven password manager extensions, including 1Password, Bitwarden, LastPass, and Dashlane
  • Eight desktop wallet applications, among them Exodus, Electrum, and Atomic Wallet
  • Blockchain addresses across six chains, extracted from clipboard contents and configuration files
  • macOS Keychain and shell history files

Each module operates independently, feeding stolen data back to the attacker’s Telegram bot in real time. The modular architecture also makes the malware easy to update — new stealer modules can be deployed server-side without any change to the initial dropper script.

Backdoor that stays

After all stealer modules have completed their objectives, ClickLock performs a cleanup routine that is unusually thorough. It forges file timestamps to obscure forensic traces, removes its persistence mechanisms, and deletes its own components from disk — with one exception.

A component Group-IB identifies as “goyim” remains permanently installed. This backdoor gives the attacker ongoing access to the compromised system, independent of the initial infection vector.

Combined with the macOS login password and Chrome’s encryption key — both now in the attacker’s possession — the backdoor enables indefinite access and offline decryption of every credential stored in the browser.

The victim notices nothing. The system operates normally. But the attacker holds the keys to every account that was ever saved in a browser or password manager on that machine.

Who is being targeted

Group-IB has identified at least 100 victims across 33 countries since the campaign began in May 2026, giving it an operational window of roughly two months at the time of discovery. More than half of those victims are in Europe, with additional clusters in North America, the Middle East, and Africa.

The number is modest, but researchers believe the malware is still under active development. The modular architecture, the evolving command infrastructure, and the presence of what appear to be testing artifacts in the code suggest that ClickLock may be an early build of something larger.

The victimology tells a dual story. The overwhelming focus on cryptocurrency wallets — browser extensions, desktop applications, and blockchain address extraction — points to crypto holders as the primary target demographic.

But the simultaneous harvesting of password manager vaults, browser-stored credentials, and payment card data means the malware doesn’t need to find a crypto whale to turn a profit. Any macOS user with valuable online accounts is a worthwhile mark.

Group-IB’s assessment is blunt: “This campaign demonstrates that macOS users may face real, sophisticated threats that require neither exploits nor any elevated access to succeed”. The entire attack chain, from initial access through credential theft to persistent backdoor installation, depends on a single moment of misplaced trust.

That trust is the fulcrum that ClickFix-style attacks exploit, and it appears to be holding. Across multiple campaigns documented by Sophos, Netskope, and Jamf throughout 2025 and 2026, the combination of fake CAPTCHA pages and Terminal paste commands has proven consistently effective against Mac users who have been conditioned to believe their platform is inherently secure.

What macOS users need to know

The defensive takeaway is simple enough to fit in a sentence: no legitimate website will ever ask you to paste a command into Terminal. Not Cloudflare. Not Google. Not your bank, your IT department, or any software vendor. Browser-based verification happens in the browser. Anything that directs you to open Terminal and paste something is attempting to compromise your system.

The harder lesson is about the erosion of a long-held assumption. macOS security has historically been strong enough that users could afford to be a little careless. ClickLock and its ilk — Atomic Stealer, Poseidon, Cthulhu, and the broader family of macOS infostealers that have proliferated since 2024 — are built on the insight that social engineering bypasses every technical control. Gatekeeper cannot block what the user voluntarily executes.

SIP cannot protect what the user voluntarily grants. The last line of defense is not a security feature. It’s a decision made at the keyboard, in the moment when Terminal blinks and waits.

- Advertisement -

Latest News

Organisations need to boost security architectures to embrace agentic AI

As organisations deploy more AI agents, they need to treat them as dynamic, continuously verified identities rather than trusted applications.

Aina raises $5.5m to build hardware interface for the age of AI

Aina is opening a waitlist for a Pilot program of the interface it has been developing in stealth.

Hi2 to become a dedicated launchpad for Emirati entrepreneurs

Dubai SME integrates Hamdan Innovation Incubator into Dubai Founders HQ.
- Advertisement -
- Advertisement -

More Articles

- Advertisement -