At least 100 victims across 33 countries were struck by a new macOS stealer in roughly two months, with more than half of those victims located in Europe, according to Group-IB.
How execution begins: a ClickFix paste-and-run lure and a hidden orchestrator
Group-IB’s analysis, published on June 16, traces execution to a familiar social-engineering trick: the victim pastes a command into Terminal after visiting what Group-IB assessed was a ClickFix page. The initial sample was uploaded to VirusTotal on June 9 with zero detections.
The orchestrator script then took control of the desktop experience: it hid the cursor and displayed a fake Cloudflare progress animation while it downloaded four separate components from two compromised WordPress sites. Those components split the attack into focused functions rather than a single bulky binary.
Credential theft and coercion: fake password dialogs and kill loops
Two modules were dedicated to stealing credentials. A Keychain stealer queried macOS for the Chrome Safe Storage key — the AES key Chrome uses to decrypt cookies and stored passwords offline — while a credential module presented a fake password dialog written in AppleScript.
That credential dialog did not accept arbitrary input: the module validated any entered password against the local directory service so only correct passwords were forwarded to the operator. If a victim canceled the prompt, the orchestrator installed two LaunchAgents so the credential modules would relaunch at the next login.
When coercion was required, the malware enacted a harsh routine. A “kill loop” repeatedly terminated Finder, Dock, browsers, Terminal and Activity Monitor in a tight cycle that ran for periods of up to 83 hours. The Keychain module used the same pattern to force the real macOS Keychain dialog to appear and request approval. In parallel, the attack killed NotificationCenter for roughly six hours to suppress Gatekeeper warnings.
Crypto pursuits, persistence and a disguised reverse shell
A third module focused on cryptocurrency assets, scanning more than 30 wallet extensions — including MetaMask and Phantom — and extracting encrypted vault fields stored in LevelDB. The fourth component installed GSocket, an open-source reverse-shell tool that Group-IB found reused roughly 80% of its original code and disguised on macOS as an iCloud process.
Exfiltration did not rely on a conventional command-and-control server. Group-IB observed data leaving victims entirely over Telegram, using three bots and no dedicated C2 infrastructure. Modules also forged timestamps and removed their own traces, leaving only the GSocket backdoor behind on compromised systems.
Related macOS stealer activity: AMOS backdoor and CrashStealer developments
Group-IB placed ClickLock Stealer alongside a broader shift in macOS stealer tooling. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025, and Jamf Threat Labs documented CrashStealer using a signed dropper to clear Gatekeeper earlier this week — signals that attackers continue to refine both persistence and Gatekeeper-evasion techniques.
What this means for end users, security teams, and adversaries
- End users: Group-IB urged users to treat any website instructing them to paste a command into Terminal as an attack attempt, and to force-shutdown and boot into Safe Mode rather than enter a password if the desktop suddenly starts killing applications.
- Security teams: The modular design — credential theft, targeted crypto extraction, and an open-source reverse shell — and use of Telegram for exfiltration highlight the need to look for behavioral signs (persistent process-killing loops, repeated Keychain prompts, and unusual Telegram bot activity) rather than relying solely on signature-based detections.
- Adversaries and tool developers: The reuse of open-source code (GSocket at roughly 80% reuse), timestamp forging, and self-deletion show an emphasis on agility and operational security that reduces the forensic footprint while preserving remote access.
ClickLock Stealer illustrates a calculated shift: attackers combine social engineering that coerces victims into handing over credentials with persistence and usability denial to force compliance. Group-IB’s concrete advice — do not paste Terminal commands from unknown sites, and prefer Safe Mode and force shutdown over entering passwords when the desktop behaves erratically — is a simple, actionable countermeasure tied directly to the attack’s mechanics. The remaining questions are operational: how quickly detection vendors will surface signatures for these components, and whether defenders will adapt monitoring to catch the behavioral patterns Group-IB described.




