Listen to this Post
Introduction: A New Era of Psychological Malware Attacks Against macOS
For years, macOS users have believed that
A newly discovered information-stealing malware called ClickLock demonstrates this reality with alarming precision. Instead of exploiting zero-day vulnerabilities or bypassing Apple’s security architecture through advanced privilege escalation, ClickLock weaponizes psychology. It manipulates victims into willingly surrendering their system password while simultaneously harvesting browser data, cryptocurrency wallets, password managers, authentication tokens, and other highly valuable information.
Security researchers at Group-IB uncovered the malware after discovering its malicious shell script on VirusTotal, where surprisingly it remained undetected by every antivirus engine available at the time of analysis. Their investigation revealed that the campaign has already compromised more than 100 systems across 33 countries, making it one of the more sophisticated social engineering attacks currently targeting macOS users.
Discovery of ClickLock Malware
Group-IB researchers identified ClickLock after a suspicious shell script was uploaded to VirusTotal on June 9. Despite the malware’s extensive capabilities, it initially escaped detection by all available security vendors.
Further investigation showed that the malware had already been active since May, silently infecting systems around the world. Although the confirmed infection count is relatively small compared to Windows malware campaigns, the sophistication of ClickLock makes it particularly dangerous for users handling cryptocurrency assets or sensitive business information.
Unlike traditional malware that relies heavily on software vulnerabilities, ClickLock focuses on abusing user trust.
The Attack Begins with a Fake Human Verification Page
The infection chain most likely starts with a familiar social engineering trick known as ClickFix.
Victims are presented with what appears to be a legitimate Cloudflare human verification page complete with an animated progress bar. Instead of asking users to solve a CAPTCHA, the page instructs them to copy and paste a Terminal command to continue.
This seemingly harmless action launches the malicious shell script.
Immediately after execution:
Keyboard interrupts are disabled.
Terminal cursor visibility is removed.
Background malware modules begin downloading.
Notification Center becomes disabled for approximately six hours.
The user loses many normal system indicators that could reveal the compromise.
Everything is carefully designed to reduce suspicion while the malware prepares its next stage.
A Fake Apple Password Prompt Becomes the Main Weapon
Perhaps the most dangerous feature of ClickLock is its password theft mechanism.
Instead of exploiting kernel vulnerabilities or bypassing
The dialog includes:
The
An authentic-looking Apple logo.
Native macOS styling.
Correct password validation.
If the victim enters their login password, the malware immediately verifies the password locally before transmitting it directly to the attacker using Telegram.
Because the password is actually validated, victims are unlikely to realize anything unusual occurred.
Canceling the Password Prompt
Many users would naturally click Cancel.
ClickLock anticipates this reaction.
Instead of terminating, the malware installs persistence using two LaunchAgent files:
com.authirity.plist
com.chromer.plist
These components automatically reactivate after the next login.
Once restarted, the malware becomes dramatically more aggressive.
Forced Password Submission Through Process Termination
ClickLock repeatedly terminates nearly every visible application every 210 milliseconds.
Its target list includes:
Finder
Dock
Terminal
Activity Monitor
Spotlight
Console
System Settings
Most web browsers
The victim eventually finds themselves unable to interact with the desktop.
Only one window remains visible:
The fake macOS password dialog.
This attack loop can continue for approximately 83 hours, effectively locking the victim into an endless cycle until the correct password is entered.
Rather than breaking
Stealing Chrome Encryption Keys
A second LaunchAgent introduces another deceptive attack.
Instead of requesting the login password directly, it triggers a legitimate macOS Keychain authorization dialog requesting access to Chrome’s Safe Storage encryption key.
If approved, attackers obtain the encryption material necessary to decrypt locally stored Chromium credentials including:
Saved passwords
Authentication cookies
Autofill entries
Session tokens
This process repeats every 200 milliseconds and may continue for almost 35 days.
Massive Data Collection Capabilities
ClickLock is much more than a password stealer.
It performs extensive reconnaissance and information theft.
Targeted browsers include:
Google Chrome
Mozilla Firefox
Brave
Microsoft Edge
Opera
Vivaldi
Arc Browser
Chromium
The malware extracts:
Saved passwords
Browser cookies
Autofill information
Local storage
Session storage
Browser history
Bookmarks
Every browser profile becomes a valuable intelligence source.
Cryptocurrency Wallet Theft
Digital assets appear to be one of
The malware searches for:
Browser wallet extensions
Desktop wallet files
Encrypted wallet vaults
Cached wallet addresses
Supported ecosystems include:
Ethereum (EVM)
Bitcoin
Solana
TRON
TON
Stacks
Even encrypted wallet databases are stolen for possible offline password cracking.
Additional Sensitive Information Harvested
Beyond browsers and cryptocurrency, ClickLock also steals:
Password manager extension data
Shell history
FileZilla FTP configurations
Recently accessed FTP servers
Public IP address
Operating system details
User environment information
All collected information is compressed into ZIP archives before exfiltration.
Files larger than 40 MB are automatically divided into smaller pieces, ensuring reliable transmission even across unstable internet connections.
Telegram Serves as the
Rather than relying on custom command-and-control infrastructure, ClickLock leverages Telegram Bot API.
This provides several advantages:
Reliable encrypted communication
Easy deployment
Low operational costs
Traffic blending with legitimate Telegram usage
The malware automatically retries uploads whenever network interruptions occur.
Persistent Remote Access with GSocket
The final stage installs a modified version of the open-source remote access utility GSocket.
Unlike the temporary modules that delete themselves after execution, GSocket remains permanently installed.
Persistence is maintained through:
LaunchAgents
Crontab entries
Shell configuration modifications
Attackers receive a reverse shell, allowing continuous remote control over the infected Mac.
This transforms ClickLock from an information stealer into a long-term espionage platform.
Why Detection Is Extremely Difficult
One reason ClickLock is particularly dangerous is its operational stealth.
Several characteristics reduce forensic evidence:
Modules self-delete after execution.
Payloads are hosted on compromised legitimate websites.
VirusTotal initially detected nothing malicious.
Minimal artifacts remain after installation.
This leaves security teams with an extremely narrow opportunity to identify the compromise.
Behavior-Based Detection Opportunities
Although traditional signature detection struggles, behavioral monitoring remains effective.
Indicators include:
Frequent osascript password dialog creation.
Continuous termination of Finder and Dock.
Large-scale browser profile access.
Unexpected Telegram API connections.
LaunchAgent creation.
Crontab modification.
Endpoint Detection and Response (EDR) products capable of behavioral analysis have a significantly better chance of identifying this campaign.
How Users Can Protect Their macOS Systems
The most important defense remains surprisingly simple.
Never paste Terminal commands from websites without fully understanding what they do.
Legitimate websites almost never require users to execute shell commands merely to verify they are human.
If your Mac suddenly becomes unusable while repeatedly requesting your login password:
Hold the power button until the system shuts down.
Restart in Safe Mode.
Remove suspicious LaunchAgents.
Change all passwords immediately.
Rotate cryptocurrency wallet credentials where possible.
Review browser sessions and revoke authentication tokens.
Quick action can significantly reduce post-compromise damage.
Deep Analysis
ClickLock represents an evolution in macOS malware because it abandons vulnerability exploitation in favor of behavioral manipulation. The attackers understand that modern operating systems have become increasingly difficult to exploit directly, so they focus on convincing users to perform privileged actions themselves. This shift dramatically lowers the attackers’ development costs while increasing the attack’s reliability across multiple macOS versions.
Another notable aspect is the
From a
Example Detection and Investigation Commands
Check LaunchAgents:
ls -la ~/Library/LaunchAgents ls -la /Library/LaunchAgents
Search for suspicious plist files:
find ~/Library -name ".plist"
Review cron persistence:
crontab -l
Inspect active network connections:
lsof -i netstat -an
Look for suspicious running processes:
ps aux | grep -i gsocket ps aux | grep -i osascript
Review shell history:
history
cat ~/.zsh_history cat ~/.bash_history
Verify LaunchAgent loading:
launchctl list
Monitor filesystem activity:
fs_usage
Security teams should also correlate telemetry across endpoints, looking for repeated AppleScript password dialogs, browser profile access, and outbound communications to messaging APIs that fall outside normal organizational behavior.
What Undercode Say:
ClickLock demonstrates that the future of malware is increasingly centered on human behavior rather than software vulnerabilities. Instead of investing in expensive zero-day exploits, attackers exploit trust, familiarity, and urgency to convince users to grant access voluntarily.
The fake Cloudflare verification technique is particularly effective because CAPTCHA systems have become a normal part of internet browsing. Users are conditioned to complete verification steps without questioning them, making Terminal-based instructions appear less suspicious than they should.
The
Its modular structure reflects professional malware engineering. Individual components can be updated independently, making future versions more adaptable to changing defensive technologies.
The use of Telegram for exfiltration illustrates a continuing trend in cybercrime where attackers rely on legitimate cloud platforms instead of maintaining dedicated command-and-control servers. This approach blends malicious traffic into everyday network activity.
Targeting cryptocurrency wallets remains a highly profitable objective. By stealing browser extensions, encrypted vaults, and wallet metadata, attackers gain multiple opportunities to compromise digital assets even after the initial infection.
The persistence provided by GSocket extends the threat beyond credential theft. Once installed, attackers can maintain long-term access, conduct additional reconnaissance, deploy secondary payloads, or move laterally within a network.
Traditional antivirus solutions alone are becoming less effective against campaigns like ClickLock. Organizations should emphasize behavioral analytics, endpoint detection, and continuous monitoring rather than relying solely on malware signatures.
Security awareness training also needs to evolve. Employees should be taught that any website requesting Terminal commands is an immediate red flag, regardless of how authentic or professionally designed the page appears.
Finally, ClickLock serves as a reminder that strong operating system security cannot compensate for successful social engineering. Even the most secure platform becomes vulnerable when users are manipulated into granting attackers exactly what they need.
✅ Confirmed: Group-IB identified ClickLock as a macOS information-stealing malware campaign capable of harvesting credentials, browser data, cryptocurrency wallet information, and establishing persistence.
✅ Confirmed: The malware primarily relies on social engineering rather than exploiting macOS vulnerabilities, using fake password dialogs and repeated process termination to pressure victims into revealing their login credentials.
✅ Confirmed: Behavioral indicators such as repeated osascript executions, LaunchAgent creation, abnormal browser profile access, and Telegram communications provide viable opportunities for defenders to detect the malware despite its self-deleting components.
Prediction
(+1) Apple and enterprise EDR vendors will likely strengthen behavioral detection for repeated password dialogs, abnormal AppleScript activity, and malicious LaunchAgent persistence, making future variants easier to identify.
(-1) Cybercriminal groups are expected to adopt similar coercion techniques that manipulate users instead of exploiting software flaws, increasing the prevalence of sophisticated social engineering attacks targeting macOS and other operating systems.
(+1) Organizations that combine behavioral monitoring, user awareness training, and rapid incident response will be significantly better positioned to stop malware families modeled after ClickLock before sensitive data or cryptocurrency assets are stolen.
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




