Back to Feed
MalwareJul 16, 2026

‘ClickLock Stealer’ Bypasses macOS Security With Social Engineering, Process Killing

ClickLock Stealer malware targets 100+ macOS users via social engineering to steal passwords and cryptocurrency.

Summary

ClickLock Stealer is a new macOS malware discovered by Group-IB in early June that has targeted at least 100 users across 33 countries. The malware uses aggressive social engineering and process-killing techniques to bypass macOS protections, stealing credentials, cryptocurrency wallets, and Keychain data. Distribution likely occurs through SEO poisoning or compromised websites directing victims to fake ClickFix pages where they execute malicious bash commands.

Full text

A new macOS malware named ClickLock Stealer leverages social engineering and process killing to bypass the operating system’s protections and obtain valuable information from victims. Cybersecurity firm Group-IB came across ClickLock Stealer in early June, and the malware appears to have been around since at least late May. Researchers say it has targeted at least 100 users across 33 countries, more than half in Europe. The stealer is designed to collect various types of data from compromised systems, including web browsers, cryptocurrency wallets and wallet extensions, and password manager extensions. It can also harvest blockchain addresses from six chains and target the macOS Keychain, FTP credentials, and shell history. The stolen data is added to an archive file and exfiltrated to a Telegram bot. While Group-IB researchers could not definitively determine how ClickLock Stealer is distributed, they believe threat actors may have used SEO poisoning, social media posts, or compromised websites to lure victims to a ClickFix attack page disguised as a Cloudflare verification. Users who land on this page are instructed to copy a bash command, paste it into macOS’s Terminal, and execute it. Once the command is run, an orchestrator script file is downloaded and executed, which in turn fetches four other scripts representing a credential stealer, a cryptocurrency stealer, a Keychain stealer, and a backdoor installer. The backdoor remains on the compromised machine, but the other scripts are removed once they have harvested the targeted data and sent it back to the attacker.Advertisement. Scroll to continue reading. macOS’s design and built-in protections make it harder to deploy malware. However, ClickLock Stealer succeeds primarily through social engineering because the malware is downloaded and executed directly by the victim with their own privileges. Unlike other malware, it does not need exploits or privilege escalation. To access the targeted data, the malware employs aggressive process-killing loops. The orchestrator component displays a fake macOS dialog to capture the user’s password, killing every visible process so that only the password window is shown on the screen until the victim complies. “A background loop also starts killing macOS NotificationCenter continuously for approximately ~6 hours, suppressing any Gatekeeper or security warnings that might alert the victim,” Group-IB explained in a blog post describing ClickLock Stealer. Other components also aggressively terminate applications that the victim may use to analyze or disrupt the attack. The credential stealer component also displays a fake macOS password dialog and keeps it open in a long loop while other applications are terminated, forcing the victim to enter the password. When the malware queries the macOS Keychain for the Chrome Safe Storage encryption key, which protects passwords and other browser data, the user is prompted to authorize the action. Again, all processes are killed until the user complies and Keychain access is granted. Related: macOS Weaknesses Chained to Silently Disable Endpoint Security Agents Related: MacSync macOS Malware Distributed via Signed Swift Application Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Trend Micro, Tanium, ESET and Tenable Patch Severe Product VulnerabilitiesUS Charges Russian Individuals and Firms for Running Cybercrime ServicesWhite House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination InitiativeICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, RockwellSonicWall Issues Urgent SMA Patch Warning for Two Zero-Day ExploitsSynopsys Finds No Evidence of Data Breach Amid Bosch Hack Claims7 Severe Vulnerabilities Patched in VMware Avi Load BalancerUnpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar Latest News Two Scattered Spider Hackers Sentenced to Jail in UKAI Data Centers Are Being Built Faster Than They Can Be SecuredOak Emerges From Stealth Mode With $60 Million in FundingSplunk, Zoom Patch Critical VulnerabilitiesF5 Patches Multiple NGINX, BIG-IP VulnerabilitiesChina’s Top Cybersecurity Firms Hit by Mounting Military Procurement BansOld UEFI Shims Expose Systems to Secure Boot BypassNightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveN-able has appointed Russell Rosa as Chief Revenue Officer.Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.F5 has appointed Cathy Peterman as Chief People Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • malware — ClickLock Stealer
  • malware — ClickFix

Entities

ClickLock Stealer operators (threat_actor)Group-IB (vendor)macOS (product)Telegram bot (technology)