Group-IB's telemetry counts at least 100 targets across 33 countries since May, and the new macOS infostealer they describe does one thing very clearly: it will make a victim's desktop unusable until the victim types their login password.
How ClickLock is delivered and persists
The campaign begins with a command pasted into Terminal. The orchestrator script, script.sh, opens with a fake Cloudflare CAPTCHA banner and a progress bar, disables keyboard interrupts, hides the cursor, and pulls four payloads from two compromised sites: two payloads are piped straight into bash and two are written into a hidden directory, $HOME/.cacheb/. The script takes a RAY_ID as its first argument and performs an osascript dialog that shows a downloaded Apple icon and the victim's real username; whatever is typed is validated with dscl /Local/Default -authonly before the script proceeds.
If the user cancels that dialog, the script drops two LaunchAgents — com.authirity.plist and com.chromer.plist — into ~/Library/LaunchAgents/ and then exits. The front end is assessed with high confidence to be ClickFix, which Group-IB says it has not previously seen.
The coercion loop: killing apps every 210 milliseconds
At the next login, the coercion begins. One LaunchAgent fires a pkill/killall loop that terminates Finder, Dock, Spotlight, Terminal, Activity Monitor and major browsers every 210 milliseconds until a password is entered. A second LaunchAgent launches an independent loop at 0.2-second intervals for up to 3,000,000 seconds (roughly 34.7 days) while a background process queries the Keychain for Chrome's Safe Storage key every half second. A third loop kills NotificationCenter for six hours so no Gatekeeper warning renders.
Group-IB states plainly that "this behavior is unique to forced-interaction malware and has no legitimate use case."
What ClickLock steals and how it exfiltrates
A completed run leaves the operator with the validated macOS login password, Chrome's Safe Storage AES key, and a ZIP containing browser credentials and cookies, crypto wallet extension storage, desktop wallet files, password manager vaults, the Keychain, shell history, and FileZilla's saved server credentials. Group-IB emphasizes the Safe Storage key is the long-lived prize: it encrypts Chrome's saved passwords and cookies on disk, so Login Data and Cookies can be decrypted offline on the attacker's machine.
The campaign uses a backdoor named goyim that Group-IB finds to be roughly 80 percent a copy of the public deploy script for GSocket, an open-source tunneling toolkit; its authors describe the gs-netcat component as an encrypted reverse backdoor that needs no C2 server and rides a relay. Group-IB traced this copy to an operator relay at gsnc[.]eu:67 and notes the binary was pulled from gsocket.io. The stealer modules are hosted on three compromised domains (one a hacked WordPress site) and the haul leaves through three Telegram bots; Group-IB observed no dedicated command-and-control infrastructure.
Signals defenders can watch and Group-IB's immediate advice
- Suspicious patterns Group-IB lists: security find-generic-password called from a shell script instead of a browser; osascript spawning password dialogs with icons from /tmp/; bulk reads of browser profile directories followed by traffic to api.telegram.org; curl piped into bash where the URL ends in .jpg, .txt, or .css; and LaunchAgent creation in ~/Library/LaunchAgents/ paired with launchctl load.
- Group-IB recorded that the orchestrator and payloads attempt to avoid macOS 26.4 mitigations: although macOS 26.4 (shipped in late March) warns when Terminal sees suspicious paste activity and blocks known malware, that warning only fires if you do not regularly use Terminal and includes a Paste Anyway button; a hard block requires the OS to already recognize the malware.
- Immediate remediation steps Group-IB recommends if a Mac is attacked: do not type the password into the on-screen box; instead hold the power button until the machine shuts down and then boot into Safe Mode — Group-IB's Shift-at-startup instruction is the Intel procedure only; on Apple silicon, hold the power button until "Loading startup options" appears, select the volume, then hold Shift and click Continue in Safe Mode.
- Group-IB advises treating every saved password, cookie, and wallet key as compromised: revoke active browser sessions and change all affected credentials.
What this means for technologists, enterprises, and end users
- Technologists and security teams: monitor for the specific IOC patterns above (LaunchAgent creation in ~/Library/LaunchAgents/, rapid pkill patterns, Keychain queries every half second) and investigate traffic to api.telegram.org tied to profile reads; note that VirusTotal submissions can show zero detections — Group-IB found the orchestrator had zero detections when it was uploaded on June 9.
- Enterprises and procurement leaders: expect attackers to route around paste protections; Jamf Threat Labs documented an applescript:// bypass in April and, as Jamf's Thijs Xhaflaire wrote, "when one door closes, attackers find another." Evaluate controls that limit Terminal use and reduce the chance of interactive coercion.
- End users: if a Mac begins repeatedly killing its own apps and leaves a password dialog alone on screen, do not type the password. The Cloudflare-style check shown by the script runs in Terminal and is not a browser verification.
ClickLock's operators launched in May and built the campaign specifically around paste delivery and forced interaction; Group-IB's analysts found the payload chain and exfiltration, but not the lure pages that bring victims in. Whether the victims counted in Group-IB's telemetry ever saw the ClickFix front end is a detail the report does not resolve. The Hacker News has asked Group-IB for macOS version breakdowns and will update the record with any response.
https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html




