2026-07-19 · view entry permalink →
ClickLock Stealer — a macOS ClickFix infostealer that force-kills every visible app until the victim types their login password
macOS endpoint malware is usually treated as rare and, when it appears, as a stealthy background stealer; ClickLock Stealer — documented by Group-IB after a shell script with zero VirusTotal detections was uploaded on 9 June 2026 — inverts both assumptions with an overtly coercive design that forces the victim to hand over their own password, and it is landing disproportionately in Europe (Group-IB, 2026-07-16). Group-IB's telemetry counts "at least 100 victims in 33 countries, with more than 50% from Europe," active since roughly May 2026 (Group-IB, 2026-07-16). It sits in the same ClickFix-delivered macOS-stealer lineage as AMOS, Poseidon and Banshee but is mechanically distinct in how it obtains credentials — it does not defeat the operating system's protections, it defeats the user.
Delivery and execution (T1204.004, T1059.004, T1105). The victim reaches a ClickFix page — a fake Cloudflare "verifying you are not a bot" flow — and is instructed to paste a command into Terminal. That orchestrator shell script disables keyboard interrupts, renders a fake Cloudflare progress-bar animation as cover, and downloads four modules from compromised WordPress infrastructure: a credential stealer, a Keychain stealer, a cross-platform crypto stealer, and a backdoor installer (Group-IB, 2026-07-16). Nothing here needs an exploit or elevated privilege — the whole chain runs at the logged-in user's level.
The coercion mechanism (T1056.002, T1685). The orchestrator first tries a "soft" approach: a fake macOS password dialog built with osascript, styled with a downloaded Apple icon to look genuine. Any password entered is checked locally against the directory service — "validated against the local directory service via dscl /Local/Default -authonly… ensuring only the correct password is exfiltrated" — so the operator receives only a working credential (Group-IB, 2026-07-16). If the victim cancels, the script installs persistence and exits; on the next login the credential-stealer module "activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply" (Group-IB, 2026-07-16). The kill loop deliberately includes Finder, Dock, SystemUIServer, Spotlight, Terminal, all common browsers and — critically — Activity Monitor and Console, so the victim cannot investigate or terminate the malware; the credential loop is configured to run for approximately 83 hours. A parallel Keychain-stealer module uses the identical technique at a ~0.2-second cadence to force approval of a real macOS Keychain-authorization prompt, capturing Chrome's Safe Storage AES key (which decrypts the browser's saved passwords and cookies offline). A separate background loop kills NotificationCenter for roughly six hours to suppress any Gatekeeper or security alerts.
Collection and exfiltration (T1555.001, T1555.003, T1552.001, T1119, T1567, T1102). While the coercion loops run, a data harvester performs a full scan across eight browsers, 31 crypto-wallet browser extensions, seven password-manager extensions, eight desktop wallet applications, blockchain addresses across six chains, the macOS Keychain, shell history and FTP credentials, archives everything into a ZIP, and pushes it to a Telegram bot via the bot API — Telegram serving as a no-infrastructure exfiltration channel with encrypted transport unlikely to be blocked by network filters (Group-IB observed no dedicated command-and-control infrastructure; ongoing remote access comes from the GSocket backdoor below). To widen access, the orchestrator checks whether Terminal holds Full Disk Access and, if not, opens System Settings straight to the Full Disk Access pane with step-by-step instructions to add Terminal, unlocking TCC-protected paths including the Keychain database.
Persistence and anti-forensics (T1543.001, T1053.003, T1546.004, T1564.001, T1036.005, T1070.004, T1070.006). The credential and Keychain modules stage into a hidden ~/.cacheb/ directory and install two LaunchAgents so they re-arm on every login even if the victim cancels the dialog, closes Terminal or reboots. The backdoor installer deploys a lightly modified open-source GSocket build — a persistent gs-netcat reverse shell disguised as an iCloud process — and, unlike the self-deleting stealer modules, keeps a durable foothold via crontab injection, shell-RC-file modification and a LaunchAgent, phoning its connection secret home over three redundant channels. Every stealer module self-deletes after running and copies file modification times from a default macOS directory onto its artifacts to blunt timeline-based forensics.
On subsequent login, the zsh.txt module activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply.
If the user enters a password, it is validated against the local directory service via dscl /Local/Default -authonly “$USER” “$PASS” ensuring only the correct password is exfiltrated.
A ClickLock Stealer operation has already targeted at least 100 victims in 33 countries, with more than 50% from Europe, and has been active for approximately two months, since May 2026.
Alert on rapid, repeated pkill or killall activity targeting system processes (Finder, Dock, SystemUIServer, NotificationCenter) at sub-second intervals, this behavior is unique to forced-interaction malware and has no legitimate use case.