Overview
Researchers at Group‑IB have uncovered a new macOS information‑stealing malware dubbed ClickLock, which uses coercive social engineering loops to trap victims into entering their system login password. First submitted to VirusTotal on June 9, 2026, the malware remained undetected by security vendors and has already infected at least 100 systems across 33 countries.
How ClickLock Works
ClickLock does not rely on exploits or elevated privileges. Instead, it manipulates victims through forced interaction loops:
- Fake Cloudflare verification — a malicious Terminal command triggers an animated progress bar while disabling keyboard interrupts and hiding the cursor.
- Suppressed notifications — NotificationCenter is disabled for six hours to prevent alerts.
- Password dialog coercion — displays a fake macOS password prompt using the victim’s real username and Apple icon.
If the victim enters their password, it is exfiltrated via Telegram. If they cancel, ClickLock establishes persistence and reloads at the next login.
Persistence & Coercion Mechanisms
ClickLock deploys two LaunchAgents:
- com.authirity.plist / com.chromer.plist — runs a termination loop every 210 ms, killing apps like Finder, Dock, Terminal, Activity Monitor, and browsers until the victim enters their password. This loop can last 83 hours.
- Keychain coercion loop — requests authorization to access Chrome’s Safe Storage key every 200 ms for 35 days, enabling decryption of offline Chromium‑stored passwords and cookies.
Data Harvesting Capabilities
ClickLock’s stealer module targets:
- Browser data — Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Chromium.
- Cryptocurrency wallets — extensions, desktop wallet files, encrypted vaults.
- Password managers.
- FTP configurations.
- System information and public IP.
Collected data is packaged into a ZIP archive and uploaded via the Telegram Bot API, with retry logic for resilience.
Persistent Backdoor
ClickLock installs a modified GSocket tool as a persistent backdoor, enabling attackers to:
- Establish reverse shells.
- Maintain remote control.
- Persist via LaunchAgents, crontab entries, and shell configuration modifications.
Unlike other modules, GSocket does not self‑delete, ensuring long‑term access.
Defensive Guidance
Group‑IB warns that ClickLock leaves a narrow detection window due to self‑deleting modules and clean hosting domains. Detection is possible by monitoring:
- osascript password dialogs.
- Repeated process termination.
- Mass browser directory access.
- Outbound Telegram API connections.
Users should:
- Avoid pasting Terminal commands from websites.
- Force shutdown if the system becomes unresponsive with repeated password prompts.
- Boot into Safe Mode to recover.
Expert in the Cloud Insight
ClickLock exemplifies a new wave of social engineering malware that bypasses technical exploits by coercing users into compliance. Its combination of forced password loops, modular data theft, and persistent backdoors makes it a serious threat to macOS users, especially those holding cryptocurrency or sensitive credentials.
For defenders, the lesson is clear: educate users about Terminal command risks, monitor behavioral anomalies, and harden macOS environments against persistence mechanisms.
Leave a Reply