ClickLock macOS Malware Forces Password Entry, Steals Crypto and Credentials
A sophisticated new macOS information-stealing malware, dubbed **ClickLock**, is coercing users into revealing their system login passwords by terminating active processes and displaying persistent fake authentication prompts. This stealthy threat targets a wide array of sensitive data, including cryptocurrency assets, browser information, and password manager data, while also establishing a persistent backdoor for long-term remote access.
A new macOS information-stealing malware, dubbed **ClickLock**, has been identified, employing a unique method to force users into revealing their system login passwords. The malware achieves this by terminating all visible processes, leaving users with little option but to interact with a persistent password prompt.
**ClickLock** is designed to exfiltrate a broad range of sensitive data, including cryptocurrency assets, login credentials, password manager data, browser information, and macOS authentication data. Beyond data theft, it also installs a persistent backdoor, granting attackers ongoing remote access to infected systems.
## Discovery and Initial Infiltration
Researchers at **Group-IB** discovered the **ClickLock** shell script on **VirusTotal**, where it was first submitted on June 9th. At the time of their report, the malware remained undetected by all security vendors on the platform. Further investigation revealed that the malicious script has already infected at least 100 systems across 33 countries since May.
Infiltration likely begins via a "ClickFix" lure. Researchers observed instances of a malicious command being pasted into the Terminal, triggering a fake **Cloudflare** "human verification" sequence with an animated progress bar.

During this deceptive process, keyboard interrupts are disabled, the terminal cursor is hidden, and the stealer modules are downloaded in the background. The macOS **NotificationCenter** is also suppressed for approximately six hours, effectively preventing notifications that could alert the user to the ongoing attack.
## Forcing Password Entry
**Group-IB** highlights that **ClickLock** doesn't rely on exploits or elevated privileges. Instead, it leverages social engineering and forced interaction loops to achieve its objectives, primarily coercing victims into entering their macOS system password.
The script initially displays a fake macOS password dialog, complete with the victimβs actual username and a downloaded Apple icon. If the user enters their password, the malware validates and exfiltrates the data to the attacker via **Telegram**.
Should the user cancel the dialog, the malware establishes persistence through two macOS **LaunchAgents** (**com.authirity.plist**, **com.chromer.plist**), ensuring it reloads upon the next login.
Upon subsequent activation, the password-stealing module initiates a termination loop every 210 milliseconds. This loop targets key macOS applications such as **Finder**, **Dock**, **Terminal**, **Activity Monitor**, **Console**, **System Settings**, and web browsers, continuously displaying only the password dialog until the victim complies.

**Group-IB** reports that this loop is configured to continue for 300,000 seconds (approximately 83 hours) or until a correct password is provided.
A second **LaunchAgent** runs a separate coercion mechanism, also terminating system applications and requesting **Keychain** authorization via a legitimate system prompt. This seeks approval to access **Chrome**βs Safe Storage key, which could then be used to decrypt offline **Chromium**-stored passwords, cookies, and autofill information from stolen databases. This second mechanism has a repeat interval of 200 milliseconds and is configured to last for nearly 35 days (3 million seconds).
## Data Harvesting and Backdoor Functionality
**ClickLock** deploys a comprehensive data-harvesting module, targeting a wide range of information:
* Data from eight popular browsers: **Chrome**, **Firefox**, **Brave**, **Edge**, **Opera**, **Vivaldi**, **Arc**, and **Chromium**.
* Saved logins, cookies, autofill data, bookmarks, local storage, and session storage.
* Cryptocurrency wallet extensions and desktop wallet files.
* Encrypted wallet vault material for potential offline cracking.
* Password-manager extension data.
* Cached cryptocurrency addresses across **EVM**, **Bitcoin**, **Solana**, **TRON**, **TON**, and **Stacks**.
* Shell histories.
* **FileZilla** FTP configuration and recent-server data.
* Basic system information and public IP address.
The harvesting module packages this collected information and a summary log file into a ZIP archive, then uploads it via the **Telegram Bot API**. Files larger than 40 MB are split into smaller parts, with retry logic ensuring uploads resume after temporary network failures.
The final module is a modified version of the open-source tool **GSocket**, which acts as a persistent backdoor for the attackers. This backdoor establishes persistence through multiple methods, including a **LaunchAgent**, **crontab** entries, and modifications to shell configuration files. It connects through a **GSocket** relay, enabling the attacker to open a reverse shell and remotely control the infected system.
Unlike other **ClickLock** modules that self-delete after execution, **GSocket** is the only component that persists on infected systems.

## Detection and Mitigation
**Group-IB** warns that **ClickLock** leaves a narrow detection window. The malicious payloads are hosted on compromised legitimate domains with clean reputations, the script is not flagged on **VirusTotal**, and modules self-delete, leaving minimal artifacts.
Despite these challenges, detection is possible based on the activity generated by the malware, such as `osascript` launching password dialogs, repeated process termination, mass access to browser profile directories, and outbound connections to **Telegram's API**.
To defend against these attacks, users should exercise extreme caution and avoid pasting Terminal commands they don't fully understand, especially if instructed by an unfamiliar website. Researchers emphasize: "Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system."
If prompted to enter a login password while the rest of the system appears unresponsive, **Group-IB** recommends forcing a system shutdown by holding the power button. Users should then boot into Safe Mode to recover the system and investigate further.