'macOS users may face real, sophisticated threats that require neither exploits nor any elevated access to succeed': ClickLock Stealer tries to trick Apple users into revealing their passwords

Security News

‘macOS users may face real, sophisticated threats that require neither exploits nor any elevated access to succeed’: ClickLock Stealer tries to trick Apple users into revealing their passwords

Credit: The original article is published here.
  • Group‑IB uncovers ClickLock, a new macOS‑focused infostealer using aggressive social engineering by spamming password prompts and terminating key apps every 210ms until victims comply
  • Once credentials are obtained, it exfiltrates browser data, crypto wallets, password manager entries, FTP configs, and device info via Telegram Bot API
  • Active since May 2026, spotted in 33 countries (mostly Europe), distributed via ClickFix campaigns, and initially undetected by security vendors until recently

Security researchers from Group-IB have uncovered a new infostealer targeting primarily macOS users in Europe.

Dubbed ClickLock, it is more of an annoying social engineering mechanism rather than a full-blown malware variant, constantly popping up a login prompt on the victim’s device, until they finally comply and share the credentials.

Every 210 milliseconds it terminates key apps on the device (Finder, Dock, TErminal, etc.), essentially making it useless. At the same time, it keeps prompting a password dialog on the screen, making sure the victim can do nothing but provide the credentials.

Targeting Europeans

The loop is set to continue for more than three straight days, or until the victim folds.

After getting the keys to the kingdom, the malware gets to work and starts exfiltrating valuable information.

This includes data from key browsers (Chrome, Firefox, Brave, and others), saved logins, cookies, autofill data, and other browser information, data linked to cryptocurrency wallets and extensions, encrypted wallet vault material that can be cracked off-site, data from password managers, cached cryptocurrency addresses across EVM, Bitcoin, Solana, TRON, TON, and Stacks, shell histories, FileZilla FTP configuration and recent-server data, and basic device information.Everything is then packaged into a .ZIP archive and exfiltrated via a Telegram Bot API.

Group-IB says the campaign has been active since at least May 2026, so it’s been active for a few months now. A researcher submitted a variant to VirusTotal in early June, but it remained undetected by all security vendors until recently, Group-IB says.

So far, it has been spotted in 33 countries, more than half of which are in Europe, it was also added. The malware is most likely being distributed via a ClickFix social engineering campaign, and has not been tied to any particular threat actor.

Leave a Reply

Your email address will not be published. Required fields are marked *