ClickLock Stealer is a macOS infostealer that relies on ClickFix-style social engineering rather than software exploits. Victims are lured to fake verification pages, often themed as Cloudflare checks, and tricked into pasting a malicious command into Terminal. After execution, the malware presents a bogus verification sequence while downloading additional modules and initiating credential theft workflows.
The malware is modular and focused on harvesting high-value user data from macOS systems. Reported targets include the macOS login password, browser credentials and cookies, the Chrome Safe Storage key, macOS Keychain contents, password manager extension data, cryptocurrency wallet extension data, desktop wallet data, shell history, and FTP credentials. Access to the Chrome Safe Storage key enables offline decryption of stored Chromium-based browser secrets. Stolen information is packaged and exfiltrated through Telegram bot infrastructure.
A distinctive feature of ClickLock Stealer is its coercive locker behavior. If the victim refuses password or Keychain prompts, the malware repeatedly kills visible applications and suppresses security notifications, effectively disrupting normal system use until the user complies. It validates the entered macOS password locally before exfiltrating it. The malware also establishes persistence through LaunchAgents so the coercion and theft workflow can resume after reboot or login.
In addition to theft functions, ClickLock Stealer deploys a modified GSocket-based backdoor that provides persistent remote access to the operator. The malware uses hidden storage locations, self-deletion of theft components, timestamp forgery, and cleanup actions to hinder forensic analysis, while leaving the backdoor in place.
Observed activity indicates an active campaign since at least May 2026, with victims across dozens of countries and a concentration in Europe. Payload hosting has been linked to compromised websites, including compromised WordPress infrastructure. ClickLock Stealer is assessed to be under active development and is notable for combining ClickFix delivery, credential theft, crypto-focused collection, persistence, and forced-interaction process killing on macOS.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We have decided to name this malware ClickLock Stealer due to both ClickFix and “locker” techniques implemented in the attack, this way forming that distinctive chain.
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Instead, it persuades users to pwn themselves by pasting a command into Terminal... After they paste the supplied command into Terminal, the malware displays what appears to be a Cloudflare verification sequence.
The actual download commands are embedded within hundreds of lines of random alphanumeric text designed to resemble certificate data
The discovered ClickLock Stealer script opens with a fake “CLOUDFLARE CAPTCHA ACCESS CONTROL” banner
On macOS, the binary is disguised as iCloud within ~/Library/Application Support/iCloudsync, with the process masquerading as SystemUIServerl.
The file named finderv2.jpg / finder.sh ... downloaded from .../finderv2.jpg is a comprehensive infostealer
After all modules complete their objectives, they forge timestamps, remove their persistence mechanisms, and delete themselves
Timestamp forgery is applied to output files by copying the modification time from $HOME/Movies
After exfiltration, the module unloads and deletes its LaunchAgent
The soft ask is an osascript dialog... whatever gets typed is checked against dscl /Local/Default -authonly first
The orchestrator first attempts a soft approach displaying a fake macOS password dialog built with osascript.
Group-IB says ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials...
ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses
Telegram serves as a lightweight C2 channel requiring no attacker-controlled infrastructure
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS information-stealing malware that uses ClickFix-style social engineering to trick users into executing a bash command, then deploys components for credential theft, cryptocurrency theft, Keychain theft, and backdoor installation. It steals browser data, crypto wallets and extensions, password manager extensions, blockchain addresses, FTP credentials, shell history, and exfiltrates the data to a Telegram bot while suppressing warnings and forcing password prompts through aggressive process killing.
A macOS infostealer delivered via pasted Terminal commands in a ClickFix-style flow. It uses fake password prompts, LaunchAgent persistence, repeated app-killing loops to coerce password entry, steals Keychain data, browser credentials and cookies, crypto wallet data, password manager vaults, shell history, and FileZilla credentials, and can leave behind a reverse-shell backdoor.
A newly documented modular macOS stealer likely distributed via ClickFix pages. It steals macOS login credentials, Chrome Safe Storage keys, browser data, password manager data, crypto wallet data, shell history, and FTP credentials, exfiltrates data via Telegram, and deploys a persistent GSocket-based backdoor while coercing users through application-killing locker behavior.
A previously undocumented macOS information stealer delivered via ClickFix-style social engineering. It tricks users into pasting a command into Terminal, then steals passwords, crypto wallets, browser data, macOS Keychain contents, shell history, FTP credentials, and blockchain addresses. It also uses a locker-like coercion feature that repeatedly kills visible applications until the victim enters their macOS password, and can persist across reboot.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.