ctipilot.ch
← Back to the live brief
NOTABLENATOB2threatdeep dive

ClickLock Stealer — a macOS ClickFix infostealer that force-kills every visible app until the victim types their login password

discovered 2026-07-19 04:23 UTCrun 2026-07-19T0408Z-intel3 sourcesmulti-source

macOS endpoint malware is usually treated as rare and, when it appears, as a stealthy background stealer; ClickLock Stealer — documented by Group-IB after a shell script with zero VirusTotal detections was uploaded on 9 June 2026 — inverts both assumptions with an overtly coercive design that forces the victim to hand over their own password, and it is landing disproportionately in Europe (Group-IB, 2026-07-16). Group-IB's telemetry counts "at least 100 victims in 33 countries, with more than 50% from Europe," active since roughly May 2026 (Group-IB, 2026-07-16). It sits in the same ClickFix-delivered macOS-stealer lineage as AMOS, Poseidon and Banshee but is mechanically distinct in how it obtains credentials — it does not defeat the operating system's protections, it defeats the user.

Delivery and execution (T1204.004, T1059.004, T1105). The victim reaches a ClickFix page — a fake Cloudflare "verifying you are not a bot" flow — and is instructed to paste a command into Terminal. That orchestrator shell script disables keyboard interrupts, renders a fake Cloudflare progress-bar animation as cover, and downloads four modules from compromised WordPress infrastructure: a credential stealer, a Keychain stealer, a cross-platform crypto stealer, and a backdoor installer (Group-IB, 2026-07-16). Nothing here needs an exploit or elevated privilege — the whole chain runs at the logged-in user's level.

The coercion mechanism (T1056.002, T1685). The orchestrator first tries a "soft" approach: a fake macOS password dialog built with osascript, styled with a downloaded Apple icon to look genuine. Any password entered is checked locally against the directory service — "validated against the local directory service via dscl /Local/Default -authonly… ensuring only the correct password is exfiltrated" — so the operator receives only a working credential (Group-IB, 2026-07-16). If the victim cancels, the script installs persistence and exits; on the next login the credential-stealer module "activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply" (Group-IB, 2026-07-16). The kill loop deliberately includes Finder, Dock, SystemUIServer, Spotlight, Terminal, all common browsers and — critically — Activity Monitor and Console, so the victim cannot investigate or terminate the malware; the credential loop is configured to run for approximately 83 hours. A parallel Keychain-stealer module uses the identical technique at a ~0.2-second cadence to force approval of a real macOS Keychain-authorization prompt, capturing Chrome's Safe Storage AES key (which decrypts the browser's saved passwords and cookies offline). A separate background loop kills NotificationCenter for roughly six hours to suppress any Gatekeeper or security alerts.

Collection and exfiltration (T1555.001, T1555.003, T1552.001, T1119, T1567, T1102). While the coercion loops run, a data harvester performs a full scan across eight browsers, 31 crypto-wallet browser extensions, seven password-manager extensions, eight desktop wallet applications, blockchain addresses across six chains, the macOS Keychain, shell history and FTP credentials, archives everything into a ZIP, and pushes it to a Telegram bot via the bot API — Telegram serving as a no-infrastructure exfiltration channel with encrypted transport unlikely to be blocked by network filters (Group-IB observed no dedicated command-and-control infrastructure; ongoing remote access comes from the GSocket backdoor below). To widen access, the orchestrator checks whether Terminal holds Full Disk Access and, if not, opens System Settings straight to the Full Disk Access pane with step-by-step instructions to add Terminal, unlocking TCC-protected paths including the Keychain database.

Persistence and anti-forensics (T1543.001, T1053.003, T1546.004, T1564.001, T1036.005, T1070.004, T1070.006). The credential and Keychain modules stage into a hidden ~/.cacheb/ directory and install two LaunchAgents so they re-arm on every login even if the victim cancels the dialog, closes Terminal or reboots. The backdoor installer deploys a lightly modified open-source GSocket build — a persistent gs-netcat reverse shell disguised as an iCloud process — and, unlike the self-deleting stealer modules, keeps a durable foothold via crontab injection, shell-RC-file modification and a LaunchAgent, phoning its connection secret home over three redundant channels. Every stealer module self-deletes after running and copies file modification times from a default macOS directory onto its artifacts to blunt timeline-based forensics.

On subsequent login, the zsh.txt module activates killing every visible application every 210 milliseconds, leaving only a password dialog on screen until the user is forced to comply.

If the user enters a password, it is validated against the local directory service via dscl /Local/Default -authonly “$USER” “$PASS” ensuring only the correct password is exfiltrated.

A ClickLock Stealer operation has already targeted at least 100 victims in 33 countries, with more than 50% from Europe, and has been active for approximately two months, since May 2026.

Alert on rapid, repeated pkill or killall activity targeting system processes (Finder, Dock, SystemUIServer, NotificationCenter) at sub-second intervals, this behavior is unique to forced-interaction malware and has no legitimate use case.

Group-IB

ATT&CK mapping

18 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

overlap matrix · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

overlap matrix · ATT&CK page ↗

T1546.004Event Triggered Execution: Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

overlap matrix · ATT&CK page ↗

T1546.004Event Triggered Execution: Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1036.005Masquerading: Match Legitimate Resource Name or Location

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

overlap matrix · ATT&CK page ↗

T1070.004Indicator Removal: File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

overlap matrix · ATT&CK page ↗

T1070.006Indicator Removal: Timestomp

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.

overlap matrix · ATT&CK page ↗

T1564.001Hide Artifacts: Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1685Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1056.002Input Capture: GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

overlap matrix · ATT&CK page ↗

T1552.001Unsecured Credentials: Credentials In Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

overlap matrix · ATT&CK page ↗

T1555.001Credentials from Password Stores: Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

overlap matrix · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1056.002Input Capture: GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

overlap matrix · ATT&CK page ↗

T1119Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1102Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

overlap matrix · ATT&CK page ↗

T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

Exfiltration TA0010
T1567Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.