New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
ClickLock macOS stealer forces password entry by killing apps every 210ms until victims comply.
Summary
ClickLock is a new macOS infostealer that arrives via terminal command and deploys LaunchAgents to forcibly extract login credentials. When users refuse an initial fake system dialog, the malware kills critical applications every 210 milliseconds until they provide their password. Once captured, it exfiltrates Keychain data, browser credentials, crypto wallets, and Chrome's Safe Storage encryption key, with at least 100 victims across 33 countries since May 2026.
Full text
New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password Swati KhandelwalJul 16, 2026Malware / Cryptocurrency ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and the major browsers start dying every 210 milliseconds, for up to 83 hours, leaving one password box on a dead desktop. Type it, and the machine gives up the Keychain, the browser credentials, and the crypto wallets. Group-IB's telemetry counts at least 100 targets across 33 countries since May, over half of them in Europe. Its analysts assume from the code structure that the malware is still under development. Uploaded to VirusTotal on June 9, the orchestrator script had zero detections there when Group-IB analyzed it. And the analysts never found the front door. They have the whole payload chain and not one of the lure pages. The IOC list carries three compromised payload hosts and no lure domain: the landing page design, the domains serving it, and whatever drives traffic to them are all unconfirmed. A completed run leaves the operator holding the validated macOS login password, Chrome's Safe Storage AES key, and a ZIP with browser credentials and cookies, crypto wallet extension storage, desktop wallet files, password manager vaults, the Keychain, shell history, and FileZilla's saved server credentials. The Safe Storage key is the one that lasts. It encrypts Chrome's saved passwords and cookies on disk, so Login Data and Cookies are decrypted offline, on the attacker's machine, whenever they get to it. Group-IB's advice to anyone who ran this: revoke active browser sessions, treat every saved password, cookie, and wallet key as gone, and change them. Comply now, or comply at next login The refusing user is not an edge case. They are what the design is for. Cancel the first dialog, and the script drops com.authirity.plist and com.chromer.plist into ~/Library/LaunchAgents/, then leaves. The first fires the 210-millisecond kill loop until a password lands. The second launches its own kill loop at 0.2-second intervals for up to 3,000,000 seconds, roughly 34.7 days, while a background process queries the Keychain for Chrome's Safe Storage key every half second. That query raises a real macOS prompt, and the loop holds the desktop hostage until the victim approves it. Activity Monitor and Terminal are on both kill lists. A third loop kills NotificationCenter for six hours, so no Gatekeeper warning renders. If Terminal lacks Full Disk Access, the orchestrator opens System Settings to the right pane and walks the victim through granting it. The front end is ClickFix. Group-IB assesses that with high confidence and has never seen it. The script takes a RAY_ID as its first argument and opens with a fake Cloudflare CAPTCHA banner over a progress bar cycling twelve status lines in ten seconds. Neither does anything. They exist to reassure someone who has just pasted a command into a terminal. Underneath, script.sh disables keyboard interrupts, hides the cursor, and pulls four payloads from two compromised sites. Two pipe straight into bash. Two land in a hidden $HOME/.cacheb/. The soft ask is an osascript dialog wearing a downloaded Apple icon and the victim's real username, and whatever gets typed is checked against dscl /Local/Default -authonly first, so only a working password is worth sending. Almost none of that is new. Microsoft documented the same dscl validation in SHub Stealer in May, alongside AMOS and MacSync in the same wave of macOS ClickFix campaigns. Telegram exfil and LaunchAgent persistence are boilerplate. The backdoor, goyim, is roughly 80 percent a copy of the public deploy script for GSocket, an open-source tunneling toolkit from The Hacker's Choice. Its authors pitch the gs-netcat component as an encrypted reverse backdoor that needs no C2 server of its own. It rides a relay instead. Group-IB traced this copy to an operator relay at gsnc[.]eu:67, with the binary pulled from gsocket.io itself. The stealer payloads sit on three compromised domains with clean reputations, one of them a hacked WordPress site, and the haul leaves through three Telegram bots. Group-IB observed no dedicated command-and-control infrastructure. On macOS, the binary lands as iCloud in ~/Library/Application Support/iCloudsync and the process runs as SystemUIServerl, one letter off the real one. Apple already tried to shut this door macOS 26.4 shipped in late March. It warns when Terminal sees suspicious paste activity and blocks outright anything it recognizes as known malware, a mitigation Microsoft points to as a direct answer to ClickFix delivery. Apple's own documentation shows how much room it left: the warning only fires if you do not regularly use Terminal, and it ships with a Paste Anyway button. The hard block needs macOS to already know the malware. Two campaigns went through that room within weeks, in opposite directions. Jamf Threat Labs documented one in April that avoids the paste entirely, using an applescript:// URL to open Script Editor with the payload preloaded, so the check never fires. Jamf's Thijs Xhaflaire wrote that "when one door closes, attackers find another." ClickLock is the other. It kept the paste and engineered around the person instead. The coercion loop is the one part with no cover story. Group-IB does not hedge on the sub-second pkill and killall bursts against Finder, Dock, SystemUIServer, and NotificationCenter: "this behavior is unique to forced-interaction malware and has no legitimate use case." The rest of the signal set: security find-generic-password called from a shell script rather than a browser osascript spawning password dialogs with icons pulled from /tmp/ Bulk reads of browser profile directories followed by traffic to api.telegram.org curl piped into bash where the URL ends in .jpg, .txt or .css LaunchAgent creation in ~/Library/LaunchAgents/ by a shell process, paired with launchctl load If a Mac starts killing its own apps and leaves a password box on screen, do not type the password. No verification page needs your Terminal. Cloudflare's check runs in the browser, which is the entire point of it. Group-IB says to hold the power button until the machine shuts down, then start up in Safe Mode, and its Shift-at-startup step is the Intel procedure only. On Apple silicon, hold the power button until "Loading startup options" appears, select the volume, then hold Shift and click Continue in Safe Mode. Cleanup is uneven. The stealer modules unload their own LaunchAgents, forge their timestamps off ~/Movies to break timeline analysis, and delete themselves. goyim does not. Sit through the loop, type the password, watch the desktop come back, and what is left is a machine that looks fine with a reverse shell on it, running as SystemUIServerl out of ~/Library/Application Support/iCloudsync. ClickLock's operators launched in May, a month into the warning's life, and built for the paste. Whether one of Group-IB's targets ever saw it is the thing the report does not say. The Hacker News has asked Group-IB for the macOS version breakdown behind those targets and will update this story with any response. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Backdoor, browser security, Credential Theft, cryptocurrency, endpoint security, Information Stealer, MacOS, Malware, Social Engineering, Threat Detection ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and P
Indicators of Compromise
- malware — ClickLock
- malware — ClickFix
- malware — com.authirity.plist
- malware — com.chromer.plist
- malware — script.sh