"The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal," Group-IB wrote.
ClickLock Stealer: social engineering, not exploits
Group-IB has detailed a previously undocumented macOS information stealer it calls "ClickLock Stealer" that deliberately avoids looking for software flaws. Instead, operators trick victims into running a command in macOS Terminal. According to the researchers, the campaign has been active since around May and has already targeted at least 100 victims across 33 countries, with more than half located in Europe. The research team first encountered a malicious shell script uploaded to VirusTotal on June 9 that at the time carried zero antivirus detections.
ClickFix pages, compromised WordPress hosts, and Telegram command-and-control
Group-IB says the attackers distribute ClickLock via fake verification pages that use a social engineering method the researchers call ClickFix. Payloads are hosted on compromised WordPress sites, and the operation uses Telegram infrastructure for command-and-control. The current malware "doesn't even need any elevated privileges or rely on exploits for the successful execution," the researchers wrote — because victims are persuaded to launch the infection themselves.
What ClickLock takes: browsers, wallets, keychain and more
Once executed, ClickLock proceeds to harvest a broad set of credentials and secrets. Group-IB lists targeted items that include data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses spanning six different chains. The malware also deploys a modified version of the open-source GSocket tool to provide attackers with remote access.
Coercion, persistence, and user-interaction tricks
ClickLock masks its activity with a convincing, fake verification sequence. After a victim pastes the supplied command into Terminal the malware displays what appears to be a Cloudflare verification sequence with a progress animation while it quietly downloads additional components. If a user refuses to cooperate and does not enter their macOS password when prompted, ClickLock's "locker" feature repeatedly kills visible applications, effectively preventing normal use of the machine until the password is supplied. If the password is entered, the theft completes quietly; if the machine is rebooted, persistence mechanisms are designed to resume the attack. Group-IB says the malware's code structure and other artifacts indicate it is under active development and that operators are expanding capabilities.
What this means for end users, security teams, and enterprises
- End users: The practical, immediate risk is the single user action of pasting a Terminal command. The article's recommended response is blunt and simple: "If a website claiming to be Cloudflare, Google, or anyone else asks you to open Terminal and paste in a command, close the tab." (The Register)
- Security teams and technologists: Group-IB advises defenders to focus on behavior-based indicators rather than signatures. Look for unexpected password prompts, applications being repeatedly forced to close, unusual access to browser data and stored credentials, and connections sending stolen information to Telegram.
- Enterprises and procurement leaders: Failure modes here are social-engineering driven rather than exploit-driven, so controls that assume network or endpoint exploit chains will not necessarily detect ClickLock. Detection and response playbooks should therefore include monitoring for unusual Terminal launches triggered from browsers and for data flows to Telegram hosts.
ClickLock's novelty lies not in a zero-day exploit but in weaponizing trust: a single pasted command is enough to start credential theft and data exfiltration. That design both lowers the attackers' technical bar and raises the stakes for simple user hygiene and behavioral detection. Group-IB's findings underline a blunt takeaway for anyone using macOS: if a website asks you to paste a command into Terminal, treat the request as hostile and close the tab.




