ctipilot.ch

ClickLock Stealer

tool · tool:clicklock-stealer

Modular macOS ClickFix-delivered infostealer documented by Group-IB (a shell script uploaded to VirusTotal 2026-06-09 with zero detections at analysis) that coerces credential and Keychain disclosure by repeatedly killing all visible applications until the victim enters their password, validating it locally via dscl before exfiltrating; bundles browser/crypto/password-manager theft and a modified open-source GSocket (gs-netcat) reverse-shell backdoor for persistence. Over 50% of ~100 identified victims across 33 countries are in Europe, active since ~May 2026 (Group-IB, 2026-07-16).

Aliases: ClickLock

Coverage timeline
1
first 2026-07-19 → last 2026-07-19
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
deep-dive
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
18
pinned v19.1 · see below

ATT&CK techniques

18 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Execution TA0002

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste×1

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Persistence TA0003

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent×1

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1546.004Event Triggered Execution: Unix Shell Configuration Modification×1

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Privilege Escalation TA0004

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent×1

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1546.004Event Triggered Execution: Unix Shell Configuration Modification×1

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Stealth TA0005

T1036.005Masquerading: Match Legitimate Resource Name or Location×1

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1070.004Indicator Removal: File Deletion×1

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1070.006Indicator Removal: Timestomp×1

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1564.001Hide Artifacts: Hidden Files and Directories×1

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Defense Impairment TA0112

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Credential Access TA0006

T1056.002Input Capture: GUI Input Capture×1

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1555.001Credentials from Password Stores: Keychain×1

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Collection TA0009

T1056.002Input Capture: GUI Input Capture×1

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1119Automated Collection×1

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Command and Control TA0011

T1102Web Service×1

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

T1105Ingress Tool Transfer×1

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Exfiltration TA0010

T1567Exfiltration Over Web Service×1

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Evidence: 2026-07-19/clicklock-stealer-macos-clickfix-forced-password-coercion · ATT&CK page ↗

Story timeline

  1. 2026-07-19ClickLock Stealer — a macOS ClickFix infostealer that force-kills every visible app until the victim types their login password
    deep-diveClickLock: a modular macOS stealer that locks the desktop by killing every app until the user surrenders their password — Europe is the top victim region

Where this entity is cited

  • deep-dive1

Source distribution

  • bleepingcomputer.com1 (33%)
  • forbes.com1 (33%)
  • group-ib.com1 (33%)

explore in graph

Entries about ClickLock Stealer (1)

2026-07-19 · view entry permalink →

NOTABLENATOB2

ClickLock Stealer — a macOS ClickFix infostealer that force-kills every visible app until the victim types their login password

macOS endpoint malware is usually treated as rare and, when it appears, as a stealthy background stealer; ClickLock Stealer — documented by Group-IB after a shell script with zero VirusTotal detections was uploaded on 9 June 2026 — inverts both assumptions with an overtly coercive design that forces the victim to hand over their own password, and it is landing disproportionately in Europe (Group-IB, 2026-07-16). Group-IB's telemetry counts "at least 100 victims in 33 countries, with more than 50% from Europe," active since roughly May 2026 (Group-IB, 2026-07-16). It sits in the same ClickFix-delivered macOS-stealer lineage as AMOS, Poseidon and Banshee but is mechanically distinct in how it obtains credentials — it does not defeat the operating system's protections, it defeats the user.

Delivery and execution (T1204.004, T1059.004, T1105). The victim reaches a ClickFix page — a fake Cloudflare "verifying you are not a bot" flow — and is instructed to paste a command into Terminal. That orchestrator shell script disables keyboard interrupts, renders a fake Cloudflare progress-bar animation as cover, and downloads four modules from compromised WordPress infrastructure: a credential stealer, a Keychain stealer, a cross-platform crypto stealer, and a backdoor installer (Group-IB, 2026-07-16). Nothing here needs an exploit or elevated privilege — the whole chain runs at the logged-in user's level.

The coercion mechanism (T1056.002, T1685). The orchestrator first tries a "soft" approach: a fake macOS password dialog built with osascript, styled with a downloaded Apple icon to look genuine. Any password entered is checked locally against the directory service — "validated against the local directory service via dscl /Local/Default -authonly… ensuring only the correct password is exfiltrated" — so the operator receives only a working credential (Group-IB, 2026-07-16). If the victim cancels, the script installs persistence and exits; on the next login the credential-stealer module "activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply" (Group-IB, 2026-07-16). The kill loop deliberately includes Finder, Dock, SystemUIServer, Spotlight, Terminal, all common browsers and — critically — Activity Monitor and Console, so the victim cannot investigate or terminate the malware; the credential loop is configured to run for approximately 83 hours. A parallel Keychain-stealer module uses the identical technique at a ~0.2-second cadence to force approval of a real macOS Keychain-authorization prompt, capturing Chrome's Safe Storage AES key (which decrypts the browser's saved passwords and cookies offline). A separate background loop kills NotificationCenter for roughly six hours to suppress any Gatekeeper or security alerts.

Collection and exfiltration (T1555.001, T1555.003, T1552.001, T1119, T1567, T1102). While the coercion loops run, a data harvester performs a full scan across eight browsers, 31 crypto-wallet browser extensions, seven password-manager extensions, eight desktop wallet applications, blockchain addresses across six chains, the macOS Keychain, shell history and FTP credentials, archives everything into a ZIP, and pushes it to a Telegram bot via the bot API — Telegram serving as a no-infrastructure exfiltration channel with encrypted transport unlikely to be blocked by network filters (Group-IB observed no dedicated command-and-control infrastructure; ongoing remote access comes from the GSocket backdoor below). To widen access, the orchestrator checks whether Terminal holds Full Disk Access and, if not, opens System Settings straight to the Full Disk Access pane with step-by-step instructions to add Terminal, unlocking TCC-protected paths including the Keychain database.

Persistence and anti-forensics (T1543.001, T1053.003, T1546.004, T1564.001, T1036.005, T1070.004, T1070.006). The credential and Keychain modules stage into a hidden ~/.cacheb/ directory and install two LaunchAgents so they re-arm on every login even if the victim cancels the dialog, closes Terminal or reboots. The backdoor installer deploys a lightly modified open-source GSocket build — a persistent gs-netcat reverse shell disguised as an iCloud process — and, unlike the self-deleting stealer modules, keeps a durable foothold via crontab injection, shell-RC-file modification and a LaunchAgent, phoning its connection secret home over three redundant channels. Every stealer module self-deletes after running and copies file modification times from a default macOS directory onto its artifacts to blunt timeline-based forensics.

On subsequent login, the zsh.txt module activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply.

If the user enters a password, it is validated against the local directory service via dscl /Local/Default -authonly “$USER” “$PASS” ensuring only the correct password is exfiltrated.

A ClickLock Stealer operation has already targeted at least 100 victims in 33 countries, with more than 50% from Europe, and has been active for approximately two months, since May 2026.

Alert on rapid, repeated pkill or killall activity targeting system processes (Finder, Dock, SystemUIServer, NotificationCenter) at sub-second intervals, this behavior is unique to forced-interaction malware and has no legitimate use case.

Group-IB
threat19 Jul 04:23Zmulti-sourceOpen finding ↗