ClickLock Hits 100 Macs Across 33 Countries, Killing Apps Every 210 Milliseconds for Passwords
Updated
Updated · The Hacker News · Jul 16
ClickLock Hits 100 Macs Across 33 Countries, Killing Apps Every 210 Milliseconds for Passwords
3 articles · Updated · The Hacker News · Jul 16
Summary
Group-IB said the new ClickLock macOS stealer has targeted at least 100 victims in 33 countries since May, using repeated app crashes at next login to force users to enter their system password.
After a victim pastes a Terminal command and cancels a fake system prompt, the malware installs LaunchAgents that kill Finder, Dock, browsers, Terminal and Activity Monitor every 210 milliseconds, sometimes for up to 83 hours.
A successful run gives attackers the validated macOS password, Chrome Safe Storage key, Keychain data, browser credentials and cookies, crypto-wallet files, password-manager vaults and FileZilla logins, with exfiltration sent through Telegram bots.
Group-IB said the campaign uses ClickFix-style fake Cloudflare verification, compromised payload hosts and a GSocket-based backdoor, but found no lure domains or dedicated command-and-control infrastructure, suggesting the malware is still evolving.
Apple's paste-warning defenses in macOS 26.4 do not fully stop this approach because users can still paste commands and the hard block depends on known malware; Group-IB urged victims to power off, boot into Safe Mode and rotate all saved credentials.
With malware now holding your desktop hostage, is the era of the 'safe' Mac officially over?
As hackers turn developer tools into weapons, is pasting a single command the biggest threat to your security?
If malware can perfectly mimic system warnings, how can you ever trust what your computer is telling you?
ClickLock Stealer: The First Coercive macOS Malware Paralyzing Systems and Forcing Credential Theft Since May 2026
Overview
ClickLock Stealer is a newly discovered and highly aggressive information stealer targeting macOS users since at least May 2026. It stands out by using a unique coercive technique: an aggressive loop that pressures victims to grant access to sensitive system components. This loop works by continuously monitoring for authorization and, at the same time, disabling user interaction. A foreground process aggressively terminates almost all interactive applications every 0.2 seconds—including Finder, Dock, browsers, Terminal, and Activity Monitor—making the system unusable until the user complies with its demands. This approach forces users into giving up their credentials to regain control.