New ClickLock macOS malware traps users into revealing login password
clicklockmacos malwaresocial engineeringgroup-ibdata exfiltrationmac securitypassword stealerclickfixshub stealeramosmacsyncgoyim

New ClickLock macOS malware traps users into revealing login password

The ClickLock Coercion Loop: Why Your Mac Can't Save You From Yourself

Applications crash, windows vanish, and a system dialog demands your password. Dismissing it only brings it back, followed by more application failures. This isn't a system glitch; it's ClickLock, a new macOS malware deliberately engineered to coerce your credentials.

Group-IB researchers identified the ClickLock Stealer in early June 2026, noting activity since late May 2026. According to Group-IB's report, it has already affected over 100 users across 33 countries, with a notable concentration in Europe. ClickLock is part of a broader wave of 'ClickFix' campaigns targeting macOS users, alongside malware like SHub Stealer, AMOS, and MacSync, all leveraging similar social engineering tactics. ClickLock is effective not because of complex exploits, but through psychological manipulation, systematically pressuring users to disclose their login credentials.

How a Fake Cloudflare Page Locks Down Your Mac

The attack starts with social engineering, typically using a "ClickFix" lure—such as fake Cloudflare verification pages or troubleshooting guides. The goal is to persuade the user to copy and paste a bash command into their macOS Terminal. This action then kicks off the attack.

Executing this command triggers an orchestrator script to download and execute additional components. Initially, it displays a fabricated Cloudflare CAPTCHA banner over a progress bar, maintaining the illusion of a legitimate process. Subsequently, an osascript dialog appears, featuring a downloaded Apple icon and the user's actual username, requesting login credentials.

A macOS login password dialog box, slightly pixelated or distorted, with a generic Apple logo. The background is dark and blurry, suggesting other applications have been forced closed. Soft, cool lighting.
MacOS login password dialog box, slightly pixelated
ClickLock's deceptive macOS login prompt.

This initial dialog, which many users might dismiss as suspicious, is merely the first step in the coercion. ClickLock then installs two LaunchAgents in ~/Library/LaunchAgents/: com.authirity.plist and com.chromer.plist. These agents ensure persistence and fuel the psychological pressure campaign.

The com.authirity.plist LaunchAgent initiates a persistent kill loop. According to Group-IB, every 210 milliseconds, for up to 83 hours, it terminates processes for Finder, Dock, Spotlight, Terminal, Activity Monitor, and all major browsers. This action aims to render the desktop unusable, leaving only the fabricated password dialog visible. Group-IB also notes that the com.chromer.plist operates similarly, launching a kill loop at 0.2-second intervals for approximately 34.7 days.

Concurrently, a background process queries the Keychain every half second, triggering a legitimate macOS prompt for Keychain access, as detailed by Group-IB. This creates a multi-pronged attack: fabricated dialogs, legitimate system prompts, and systematic system degradation. To suppress security warnings, a third loop disables NotificationCenter for six hours, a detail also reported by Group-IB. If Terminal lacks Full Disk Access, the malware even opens System Settings to guide the user through the permission grant. This approach cleverly bypasses system defenses by manipulating user behavior, forcing compliance.

Upon password entry, the malware validates it using dscl /Local/Default -authonly. If correct, it proceeds to data exfiltration.

What ClickLock Steals and How It Hides

Following successful password entry, ClickLock exfiltrates a range of sensitive data. This includes your validated macOS login password, Chrome's Safe Storage AES key (which allows attackers to decrypt all saved Chrome passwords and cookies offline), and a ZIP archive. This archive contains browser credentials, cookies, crypto wallet extension storage, desktop wallet files, password manager vaults, your entire macOS Keychain, shell history, and FileZilla's saved server credentials.

This data is exfiltrated to Telegram bots. Without a dedicated command-and-control server, it's harder to track and block the malware's infrastructure.

Beyond data exfiltration, ClickLock installs a backdoor named goyim. This component, an approximately 80% copy of the public deploy script for GSocket (an open-source tunneling toolkit), functions as an encrypted reverse backdoor, establishes persistence as iCloud within ~/Library/Application Support/iCloudsync and executes as SystemUIServerl—a deliberate typo designed to mimic legitimate processes. This backdoor utilizes a relay (gsnc[.]eu:67) to provide attackers with persistent, encrypted remote access. While the stealer modules try to cover their tracks by deleting LaunchAgents and forging timestamps after exfiltration, making forensic analysis difficult, the goyim backdoor stays active.

A close-up of a dark, minimalist macOS desktop with a single, stark password input box centered. The background shows faint, blurred outlines of application windows that appear to be crashing or frozen. The overall mood is one of frustration and helplessness.
Close-up of a dark, minimalist macOS desktop
System shutdown, only the password box remains.

Why Apple's Safeguards Aren't Enough Here

Apple has implemented several mitigations. macOS 26.4, shipped late March, introduced warnings for suspicious paste activity in Terminal and includes blocks for recognized malware. These are positive developments.

However, ClickLock's success highlights the limitations of technical safeguards against determined social engineering. The Terminal paste warning, for instance, only triggers if the user does not regularly use Terminal, appears for pastes from external sources, and still presents a "Paste Anyway" option. ClickLock circumvents Gatekeeper by inducing the user to execute the command directly. It bypasses malicious link detection by relying on a copy-paste action. The malware's strategy exploits human instinct and the perceived authority of system dialogs, compounded by the disabling of user control and suppression of security notifications.

This highlights a persistent challenge in cybersecurity. Attackers don't always need complex zero-day exploits; often, simply eroding user resistance is enough.

What You Need to Do

If your Mac begins terminating applications and presents an unexpected password dialog, do not enter your credentials. This is the core objective of the coercion tactic.

Instead, force a shutdown by holding the power button. Then, restart in Safe Mode:

  • Intel Macs: Hold Shift at startup.
  • Apple Silicon Macs: Hold the power button until "Loading startup options" appears, select your volume, then hold Shift and click "Continue in Safe Mode."
In Safe Mode, remediation can begin. While stealer modules may self-delete, the `goyim` backdoor is designed for persistence. Locate `iCloud` within `~/Library/Application Support/iCloudsync` and identify any `SystemUIServerl` processes.

Post-compromise, assume a full data breach. Revoke all active browser sessions, consider every saved password, cookie, and wallet key compromised, and change them without delay. This is a crucial security step you must take.

ClickLock demonstrates that even with advanced platform security, the human element remains a primary vector for compromise. Technical defenses alone aren't enough to fully mitigate the risk when psychological pressure is effectively applied.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.