Skip to main content
Emerging ThreatsMalware & Ransomware

ClickLock Malware Forces macOS Users to Reveal Login Passwords

Concerned person sits in front of laptop with blank screen, surrounded by everyday objects.

At least 100 systems across 33 countries have been hit since May by a new macOS information‑stealer that forces users into surrendering their system login password, researchers say.

Group-IB discovery and scope

Researchers at Group-IB analyzed a shell script they named ClickLock after finding it on VirusTotal; the sample was first submitted on June 9 and, according to Group-IB, remained undetected by all security vendors available on the platform at the time of the report. Further investigation linked the script to infections on "at least 100 systems across 33 countries" starting in May.

Group-IB warns the malware "leaves a narrow detection window." Investigators found the payloads hosted on compromised legitimate domains with clean reputations, and noted that many ClickLock modules self-delete after execution, leaving few on-disk artifacts.

ClickLock coercion loop: forcing password entry without exploits

ClickLock does not rely on exploits or elevated privileges; instead, it uses social engineering and persistent user-facing coercion. Group-IB describes an initial lure, labeled ClickFix, in which victims paste a malicious command into Terminal that triggers a fake Cloudflare "human verification" sequence with an animated progress bar. At that moment the malware disables keyboard interrupts, hides the terminal cursor, suppresses macOS NotificationCenter for about six hours, and downloads stealer modules in the background.

The script first displays a fake macOS password dialog that uses the victim’s real username and a downloaded Apple icon. If the user enters the password, the malware validates it and exfiltrates the credential. If the user cancels, ClickLock establishes persistence via two LaunchAgents (com.authirity.plist and com.chromer.plist) and reloads at next login.

On subsequent activations, the password‑stealing module runs a termination loop every 210 milliseconds that kills visible system applications (examples listed by the researchers include Finder, Dock, Terminal, Activity Monitor, Console, System Settings, Spotlight and web browsers) and leaves only the password dialog on screen. That loop is configured to continue for 300,000 seconds—about 83 hours—or until a correct password is supplied.

Telegram Bot API exfiltration and targeted data collection

Group-IB reports ClickLock uses the Telegram Bot API to receive stolen material. If a user supplies the macOS login password, the malware validates it and sends the credential out via Telegram. A dedicated harvesting module targets a broad set of data, including:

  • Profiles from eight browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Chromium
  • Saved logins, cookies, autofill data, bookmarks, local storage, and session storage
  • Cryptocurrency wallet extensions and desktop wallet files, plus encrypted wallet vault material for potential offline cracking
  • Password‑manager extension data and cached cryptocurrency addresses across EVM, Bitcoin, Solana, TRON, TON, and Stacks
  • Shell histories, FileZilla FTP configuration and recent-server data, basic system information and the public IP address

The harvesting module packages collected files and a summary log into a ZIP archive and uploads it via Telegram. Files larger than 40 MB are split, and the uploader uses retry logic so transfers resume after temporary network failures.

GSocket backdoor and persistence mechanisms

ClickLock’s final component is a modified variant of the open‑source tool GSocket, repurposed as a persistent backdoor. Unlike other ClickLock modules—which self-delete after execution—GSocket persists on infected hosts. Group-IB says the backdoor establishes persistence through multiple methods including a LaunchAgent, crontab entries, and modifications to shell configuration files.

The GSocket component connects through a GSocket relay, enabling an attacker to open a reverse shell and remotely control the system. Because the other modules remove themselves and the initial script is not flagged on VirusTotal, Group-IB stresses that detection must rely on behavior rather than simple signature matches.

What this means for technologists, security teams, and end users

For technologists and security teams: Group-IB highlights several observable behaviors that can be used to detect ClickLock activity—osascript launches that display password dialogs, repeated termination of system processes, mass access to browser profile directories, and outbound connections to Telegram's API. Detection should focus on these telemetry signals because payloads and hosting domains can appear benign and modules self-delete.

For end users: Group-IB's practical advice is stark and specific: avoid pasting Terminal commands you do not fully understand, especially when instructed by a website. "Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system," the researchers say. If the system becomes unresponsive and requests a login password, Group-IB recommends forcing a shutdown by holding the power button and booting into Safe Mode to recover the machine.

ClickLock combines straightforward social engineering with a relentless local coercion mechanism and a persistent remote access tool, creating a narrow window in which defenders must spot anomalous behavior. Group-IB's analysis lays out concrete telemetry to watch for; how rapidly those signals are integrated into defenders’ monitoring will determine how many of the infections counted to date become the start of longer compromises.

Original story on BleepingComputer