← Home

ClickLock macOS Malware Traps Users Into Revealing Login Passwords

1) The fact Group-IB researchers discovered a new macOS information-stealing malware called ClickLock that terminates all visible processes to force users into entering their system login password. The malware steals cryptocurrency assets, login credentials, password-manager data, browser information, and macOS authentication data, and it can also install a persistent backdoor for ongoing remote access to infected systems. The malicious script has infected at least 100 systems across 33 countries since May 2026.

2) Context ClickLock is a shell script that was first submitted to VirusTotal on June 9, 2026, where it remained undetected by all security vendors on the platform at the time of analysis. Infection begins via a ClickFix lure — a fake Cloudflare human verification page with an animated progress bar displayed in the macOS Terminal. During the attack, keyboard interrupts are disabled, the terminal cursor is hidden, and stealer modules are downloaded in the background. macOS NotificationCenter is suppressed for about six hours, effectively disabling any notifications that could expose the ongoing attack to the victim. The compromise likely begins with victims being instructed to paste a malicious command into their Terminal from a website.

3) Analysis ClickLock represents a troubling evolution in macOS malware for three fundamental reasons. First, it requires no exploits or elevated privileges — operating purely through social engineering and forced interaction loops, meaning any user can be infected regardless of macOS version or security settings. Second, the coercion mechanism is brutally efficient: canceling the password prompt triggers process termination of critical apps (Finder, Dock, Terminal, browsers, System Settings, Activity Monitor, Console, Spotlight) every 210 milliseconds for up to 83 hours, showing only the password dialog on screen until the victim complies. A second LaunchAgent runs a separate coercion mechanism requesting Keychain authorization for Chrome's Safe Storage key at 200-millisecond intervals for nearly 35 days — that key could decrypt all stored Chromium passwords, cookies, and autofill data. Third, all modules self-delete after execution, leaving only the GSocket backdoor as a persistent trace on the infected system. Payloads are hosted on compromised legitimate domains with clean reputations, further evading detection.

4) What to watch • VirusTotal undetectability highlights the need for macOS-specific security solutions, traditionally overlooked compared to Windows. • Cryptocurrency users are primary targets — wallets like MetaMask, Phantom, Ledger, and password managers are all targeted. • Organizations with macOS employees must train staff not to execute Terminal commands from website instructions — regardless of how professional the page looks. • If prompted to enter the login password when the system appears unresponsive, Group-IB recommends forcing a shutdown by holding the power button and booting into Safe Mode.

Source: BleepingComputer