Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    New ClickLock macOS malware traps users into revealing login password

    July 16, 2026

    Survey of Canadian Security Intelligence Service Technical Capabilities: Report

    July 16, 2026

    The OSINT Newsletter – Issue #114

    July 16, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»New ClickLock macOS malware traps users into revealing login password
    News

    New ClickLock macOS malware traps users into revealing login password

    adminBy adminJuly 16, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    New ClickLock macOS malware traps users into revealing login password

    A new macOS information-stealing malware dubbed ClickLock terminates all visible processes to force users into entering their system login password.

    The malware is designed to steal cryptocurrency assets, login credentials, password-manager data, browser information, and macOS authentication data, and it can also install a persistent backdoor for ongoing remote access to infected systems.

    Researchers at Group-IB analyzed the ClickLock shell script after discovering the malware on VirusTotal, where it was first submitted on June 9. At the time of the report, it remained undetected by all security vendors available on the platform.

    image

    Further investigation revealed that the malicious script has infected at least 100 systems across 33 countries since May.

    The compromise likely begins via a ClickFix lure, as the researchers observed pastes of a malicious command in the Terminal that trigger a fake Cloudflare “human verification” sequence with an animated progress bar.

    At the same time, keyboard interrupts are disabled, the terminal cursor is hidden, and the stealer modules are downloaded in the background.

    The macOS NotificationCenter is also suppressed for about six hours, effectively disabling notifications that could expose the attack.

    Fake Cloudflare progress bar
    Fake Cloudflare progress bar on the Terminal
    Source: Group-IB

    Forcing password entry

    Group-IB researchers highlight that ClickLock does not require any exploits or elevated privileges but achieves its goal through social engineering and forced interaction loops.

    Operational success is obtained through the malware’s mechanism for coercing the victims into entering their macOS system password.

    Group-IB says that the script initially displays a fake macOS password dialog using the victim’s real username and a downloaded Apple icon.

    If the user enters their password, the malware validates the data and exfiltrates it to the attacker via Telegram.

    In case the user cancels the dialog, the malware establishes persistence via two macOS LaunchAgents (com.authirity.plist, com.chromer.plist) and reloads at the next login.

    At the next activation, the password-stealing module runs a termination loop every 210 milliseconds, targeting key apps (e.g., Finder, Dock, Terminal, Activity Monitor, Console, System Settings, Spotlight, web browsers) and shows only a password dialog on the screen until the victim complies.

    Group-IB reports that the loop is configured to continue for 300,000 seconds (about 83 hours), or until the victim supplies a correct password.

    The kill loop function
    The second kill loop function
    Source: Group-IB

    The second LaunchAgent runs a separate coercion mechanism that also terminates many of the mentioned system applications, requesting Keychain authorization via a legitimate system prompt, seeking approval to access Chrome’s Safe Storage key.

    That key could then be used to decrypt offline Chromium-stored passwords, cookies, and autofill information from stolen databases.

    This second mechanism has a repeat interval of 200 milliseconds and is configured to last for nearly 35 days (3 million seconds).

    ClickLock also deploys a data-harvesting module, which targets the following:

    • Data from eight browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Chromium
    • Saved logins, cookies, autofill data, bookmarks, local storage, and session storage
    • Cryptocurrency wallet extensions and desktop wallet files
    • Encrypted wallet vault material for potential offline cracking
    • Password-manager extension data
    • Cached cryptocurrency addresses across EVM, Bitcoin, Solana, TRON, TON, and Stacks
    • Shell histories
    • FileZilla FTP configuration and recent-server data
    • Basic system information and the public IP address

    The harvesting module packages the collected information and a summary log file into a ZIP archive, then uploads it via the Telegram Bot API.

    Files larger than 40 MB are split into smaller parts, while retry logic ensures that uploading resumes after temporary network failures.

    The final module is a modified version of the open-source tool GSocket that acts as a persistent backdoor for the attackers.

    The backdoor establishes persistence through multiple methods, including a LaunchAgent, crontab entries, and modifications to shell configuration files.

    It connects through a GSocket relay, allowing the attacker to open a reverse shell and remotely control the system.

    Unlike the other ClickLock modules that self-delete after execution, GSocket is the only component that persists on infected systems.

    The complete ClickLock attack chain
    The complete ClickLock attack chain
    Source: Group-IB

    Group-IB warns that “malware leaves a narrow detection window” and that the malicious payloads are hosted on compromised legitimate domains with a clean reputation.

    Additionally, the script is not flagged as malicious on VirusTotal, and its modules self-delete after execution, leaving no artifacts.

    Despite this, the researchers say that detection is possible based on the activity generated by the malware, such as osascript launching password dialogs, repeated process termination, mass access to browser profile directories, and outbound connections to Telegram’s API.

    To defend against these attacks, users should avoid pasting in Terminal commands they don’t fully understand, especially if the request comes from a website.

    “Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system,” the researchers say.

    If prompted to enter the login password when the rest of the system appears unresponsive, Group-IB recommends forcing a system shutdown by holding the power button and then booting into Safe Mode to recover the system.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleSurvey of Canadian Security Intelligence Service Technical Capabilities: Report
    admin
    • Website

    Related Posts

    News

    Survey of Canadian Security Intelligence Service Technical Capabilities: Report

    July 16, 2026
    News

    The OSINT Newsletter – Issue #114

    July 16, 2026
    News

    How Cops Use Flock to Track People, Not Cars

    July 16, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    New ClickLock macOS malware traps users into revealing login password

    July 16, 2026

    Survey of Canadian Security Intelligence Service Technical Capabilities: Report

    July 16, 2026

    The OSINT Newsletter – Issue #114

    July 16, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.