https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
A newly identified macOS infostealer dubbed ClickLock has been documented by Group-IB researchers, notable for its unusually aggressive and psychologically coercive approach to credential theft. Rather than silently harvesting data in the background, ClickLock deliberately makes a victim’s computer unusable, killing Finder, the Dock, Spotlight, Terminal, Activity Monitor, and major browsers every 210 milliseconds for up to 83 hours, leaving nothing on screen but a password prompt. The malware arrives via the ClickFix social engineering technique, in which victims are tricked into pasting a command into Terminal. If the victim cancels the initial fake system dialog requesting their password, the malware installs two LaunchAgents and quietly exits, only to unleash its desktop hostage loop at the next login. A second persistence mechanism runs its own kill loop for up to 34.7 days while continuously querying the Keychain for Chrome’s Safe Storage key. Crucially, Activity Monitor and Terminal are both on the kill list, preventing victims from diagnosing or stopping the attack themselves.
The payload chain is comprehensive and damaging. A successful run hands the attacker the validated macOS login password, Chrome’s Safe Storage AES key, which enables offline decryption of all saved passwords and cookies, along with browser credentials, crypto wallet files, password manager vaults, the macOS Keychain, shell history, and FileZault’s saved server credentials. Exfiltration is conducted through three Telegram bots, and the malware uses a backdoor component largely copied from GSocket, an open-source tunnelling toolkit, to establish a reverse shell without requiring dedicated command-and-control infrastructure. The orchestrator script had zero detections on VirusTotal when Group-IB analysed it, and the researchers were unable to identify the lure pages used to drive victims to the initial payload, meaning the full delivery chain remains unconfirmed. Group-IB’s telemetry has identified at least 100 targets across 33 countries since May, with more than half located in Europe.
The malware highlights the growing limitations of Apple’s mitigations against Terminal-based ClickFix attacks. While macOS 26.4 introduced warnings for suspicious Terminal paste activity, the protection only triggers for users who do not regularly use Terminal and includes a “Paste Anyway” button, leaving a significant gap. The hard block requires macOS to already recognise the specific malware, and researchers have already documented campaigns bypassing these controls entirely. Group-IB assesses the malware is still under active development.