ClickLock: The Silent macOS Malware That Forces Victims to Reveal Their Passwords While Stealing Crypto and Sensitive Data

Listen to this Post

Featured ImageIntroduction: A New Era of Psychological Malware Attacks Against macOS

For years, macOS users have believed that

A newly discovered information-stealing malware called ClickLock demonstrates this reality with alarming precision. Instead of exploiting zero-day vulnerabilities or bypassing Apple’s security architecture through advanced privilege escalation, ClickLock weaponizes psychology. It manipulates victims into willingly surrendering their system password while simultaneously harvesting browser data, cryptocurrency wallets, password managers, authentication tokens, and other highly valuable information.

Security researchers at Group-IB uncovered the malware after discovering its malicious shell script on VirusTotal, where surprisingly it remained undetected by every antivirus engine available at the time of analysis. Their investigation revealed that the campaign has already compromised more than 100 systems across 33 countries, making it one of the more sophisticated social engineering attacks currently targeting macOS users.

Discovery of ClickLock Malware

Group-IB researchers identified ClickLock after a suspicious shell script was uploaded to VirusTotal on June 9. Despite the malware’s extensive capabilities, it initially escaped detection by all available security vendors.

Further investigation showed that the malware had already been active since May, silently infecting systems around the world. Although the confirmed infection count is relatively small compared to Windows malware campaigns, the sophistication of ClickLock makes it particularly dangerous for users handling cryptocurrency assets or sensitive business information.

Unlike traditional malware that relies heavily on software vulnerabilities, ClickLock focuses on abusing user trust.

The Attack Begins with a Fake Human Verification Page

The infection chain most likely starts with a familiar social engineering trick known as ClickFix.

Victims are presented with what appears to be a legitimate Cloudflare human verification page complete with an animated progress bar. Instead of asking users to solve a CAPTCHA, the page instructs them to copy and paste a Terminal command to continue.

This seemingly harmless action launches the malicious shell script.

Immediately after execution:

Keyboard interrupts are disabled.

Terminal cursor visibility is removed.

Background malware modules begin downloading.

Notification Center becomes disabled for approximately six hours.

The user loses many normal system indicators that could reveal the compromise.

Everything is carefully designed to reduce suspicion while the malware prepares its next stage.

A Fake Apple Password Prompt Becomes the Main Weapon

Perhaps the most dangerous feature of ClickLock is its password theft mechanism.

Instead of exploiting kernel vulnerabilities or bypassing

The dialog includes:

The

An authentic-looking Apple logo.

Native macOS styling.

Correct password validation.

If the victim enters their login password, the malware immediately verifies the password locally before transmitting it directly to the attacker using Telegram.

Because the password is actually validated, victims are unlikely to realize anything unusual occurred.

Canceling the Password Prompt

Many users would naturally click Cancel.

ClickLock anticipates this reaction.

Instead of terminating, the malware installs persistence using two LaunchAgent files:

com.authirity.plist

com.chromer.plist

These components automatically reactivate after the next login.

Once restarted, the malware becomes dramatically more aggressive.

Forced Password Submission Through Process Termination

ClickLock repeatedly terminates nearly every visible application every 210 milliseconds.

Its target list includes:

Finder

Dock

Terminal

Activity Monitor

Spotlight

Console

System Settings

Most web browsers

The victim eventually finds themselves unable to interact with the desktop.

Only one window remains visible:

The fake macOS password dialog.

This attack loop can continue for approximately 83 hours, effectively locking the victim into an endless cycle until the correct password is entered.

Rather than breaking

Stealing Chrome Encryption Keys

A second LaunchAgent introduces another deceptive attack.

Instead of requesting the login password directly, it triggers a legitimate macOS Keychain authorization dialog requesting access to Chrome’s Safe Storage encryption key.

If approved, attackers obtain the encryption material necessary to decrypt locally stored Chromium credentials including:

Saved passwords

Authentication cookies

Autofill entries

Session tokens

This process repeats every 200 milliseconds and may continue for almost 35 days.

Massive Data Collection Capabilities

ClickLock is much more than a password stealer.

It performs extensive reconnaissance and information theft.

Targeted browsers include:

Google Chrome

Mozilla Firefox

Brave

Microsoft Edge

Opera

Vivaldi

Arc Browser

Chromium

The malware extracts:

Saved passwords

Browser cookies

Autofill information

Local storage

Session storage

Browser history

Bookmarks

Every browser profile becomes a valuable intelligence source.

Cryptocurrency Wallet Theft

Digital assets appear to be one of

The malware searches for:

Browser wallet extensions

Desktop wallet files

Encrypted wallet vaults

Cached wallet addresses

Supported ecosystems include:

Ethereum (EVM)

Bitcoin

Solana

TRON

TON

Stacks

Even encrypted wallet databases are stolen for possible offline password cracking.

Additional Sensitive Information Harvested

Beyond browsers and cryptocurrency, ClickLock also steals:

Password manager extension data

Shell history

FileZilla FTP configurations

Recently accessed FTP servers

Public IP address

Operating system details

User environment information

All collected information is compressed into ZIP archives before exfiltration.

Files larger than 40 MB are automatically divided into smaller pieces, ensuring reliable transmission even across unstable internet connections.

Telegram Serves as the

Rather than relying on custom command-and-control infrastructure, ClickLock leverages Telegram Bot API.

This provides several advantages:

Reliable encrypted communication

Easy deployment

Low operational costs

Traffic blending with legitimate Telegram usage

The malware automatically retries uploads whenever network interruptions occur.

Persistent Remote Access with GSocket

The final stage installs a modified version of the open-source remote access utility GSocket.

Unlike the temporary modules that delete themselves after execution, GSocket remains permanently installed.

Persistence is maintained through:

LaunchAgents

Crontab entries

Shell configuration modifications

Attackers receive a reverse shell, allowing continuous remote control over the infected Mac.

This transforms ClickLock from an information stealer into a long-term espionage platform.

Why Detection Is Extremely Difficult

One reason ClickLock is particularly dangerous is its operational stealth.

Several characteristics reduce forensic evidence:

Modules self-delete after execution.

Payloads are hosted on compromised legitimate websites.

VirusTotal initially detected nothing malicious.

Minimal artifacts remain after installation.

This leaves security teams with an extremely narrow opportunity to identify the compromise.

Behavior-Based Detection Opportunities

Although traditional signature detection struggles, behavioral monitoring remains effective.

Indicators include:

Frequent osascript password dialog creation.

Continuous termination of Finder and Dock.

Large-scale browser profile access.

Unexpected Telegram API connections.

LaunchAgent creation.

Crontab modification.

Endpoint Detection and Response (EDR) products capable of behavioral analysis have a significantly better chance of identifying this campaign.

How Users Can Protect Their macOS Systems

The most important defense remains surprisingly simple.

Never paste Terminal commands from websites without fully understanding what they do.

Legitimate websites almost never require users to execute shell commands merely to verify they are human.

If your Mac suddenly becomes unusable while repeatedly requesting your login password:

Hold the power button until the system shuts down.

Restart in Safe Mode.

Remove suspicious LaunchAgents.

Change all passwords immediately.

Rotate cryptocurrency wallet credentials where possible.

Review browser sessions and revoke authentication tokens.

Quick action can significantly reduce post-compromise damage.

Deep Analysis

ClickLock represents an evolution in macOS malware because it abandons vulnerability exploitation in favor of behavioral manipulation. The attackers understand that modern operating systems have become increasingly difficult to exploit directly, so they focus on convincing users to perform privileged actions themselves. This shift dramatically lowers the attackers’ development costs while increasing the attack’s reliability across multiple macOS versions.

Another notable aspect is the

From a

Example Detection and Investigation Commands

Check LaunchAgents:

ls -la ~/Library/LaunchAgents
ls -la /Library/LaunchAgents

Search for suspicious plist files:

find ~/Library -name ".plist"

Review cron persistence:

crontab -l

Inspect active network connections:

lsof -i
netstat -an

Look for suspicious running processes:

ps aux | grep -i gsocket
ps aux | grep -i osascript

Review shell history:

history

cat ~/.zsh_history
cat ~/.bash_history

Verify LaunchAgent loading:

launchctl list

Monitor filesystem activity:

fs_usage

Security teams should also correlate telemetry across endpoints, looking for repeated AppleScript password dialogs, browser profile access, and outbound communications to messaging APIs that fall outside normal organizational behavior.

What Undercode Say:

ClickLock demonstrates that the future of malware is increasingly centered on human behavior rather than software vulnerabilities. Instead of investing in expensive zero-day exploits, attackers exploit trust, familiarity, and urgency to convince users to grant access voluntarily.

The fake Cloudflare verification technique is particularly effective because CAPTCHA systems have become a normal part of internet browsing. Users are conditioned to complete verification steps without questioning them, making Terminal-based instructions appear less suspicious than they should.

The

Its modular structure reflects professional malware engineering. Individual components can be updated independently, making future versions more adaptable to changing defensive technologies.

The use of Telegram for exfiltration illustrates a continuing trend in cybercrime where attackers rely on legitimate cloud platforms instead of maintaining dedicated command-and-control servers. This approach blends malicious traffic into everyday network activity.

Targeting cryptocurrency wallets remains a highly profitable objective. By stealing browser extensions, encrypted vaults, and wallet metadata, attackers gain multiple opportunities to compromise digital assets even after the initial infection.

The persistence provided by GSocket extends the threat beyond credential theft. Once installed, attackers can maintain long-term access, conduct additional reconnaissance, deploy secondary payloads, or move laterally within a network.

Traditional antivirus solutions alone are becoming less effective against campaigns like ClickLock. Organizations should emphasize behavioral analytics, endpoint detection, and continuous monitoring rather than relying solely on malware signatures.

Security awareness training also needs to evolve. Employees should be taught that any website requesting Terminal commands is an immediate red flag, regardless of how authentic or professionally designed the page appears.

Finally, ClickLock serves as a reminder that strong operating system security cannot compensate for successful social engineering. Even the most secure platform becomes vulnerable when users are manipulated into granting attackers exactly what they need.

✅ Confirmed: Group-IB identified ClickLock as a macOS information-stealing malware campaign capable of harvesting credentials, browser data, cryptocurrency wallet information, and establishing persistence.

✅ Confirmed: The malware primarily relies on social engineering rather than exploiting macOS vulnerabilities, using fake password dialogs and repeated process termination to pressure victims into revealing their login credentials.

✅ Confirmed: Behavioral indicators such as repeated osascript executions, LaunchAgent creation, abnormal browser profile access, and Telegram communications provide viable opportunities for defenders to detect the malware despite its self-deleting components.

Prediction

(+1) Apple and enterprise EDR vendors will likely strengthen behavioral detection for repeated password dialogs, abnormal AppleScript activity, and malicious LaunchAgent persistence, making future variants easier to identify.

(-1) Cybercriminal groups are expected to adopt similar coercion techniques that manipulate users instead of exploiting software flaws, increasing the prevalence of sophisticated social engineering attacks targeting macOS and other operating systems.

(+1) Organizations that combine behavioral monitoring, user awareness training, and rapid incident response will be significantly better positioned to stop malware families modeled after ClickLock before sensitive data or cryptocurrency assets are stolen.

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube