Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
17 distinct techniques documented for this family, organized by ATT&CK tactic.
ClickLock leverages AppleScript and native macOS utilities to carry out its operations, allowing it to blend into legitimate system activity and evade basic signature-based detection mechanisms.
This forced disruption is immediately followed by the display of a deceptive system prompt that perfectly mimics legitimate macOS authentication dialogs... The entered credentials are then captured and transmitted directly to the attacker-controlled command-and-control infrastructure.
Saved logins, cookies, autofill data, bookmarks, local storage, and session storage
requesting Keychain authorization via a legitimate system prompt, seeking approval to access Chrome’s Safe Storage key. That key could then be used to decrypt offline Chromium-stored passwords, cookies, and autofill information from stolen databases.
ClickLock also deploys a data-harvesting module, which targets the following: Data from eight browsers... Cryptocurrency wallet extensions and desktop wallet files... Shell histories... FileZilla FTP configuration
This forced disruption is immediately followed by the display of a deceptive system prompt that perfectly mimics legitimate macOS authentication dialogs... The entered credentials are then captured and transmitted directly to the attacker-controlled command-and-control infrastructure.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS stealer that forcibly terminates running applications to destabilize the system, displays spoofed macOS authentication prompts to trick users into entering their password, captures those credentials, and transmits them to attacker-controlled infrastructure. It also collects device and environment metadata and uses AppleScript and native macOS utilities to blend into normal activity.
macOS malware that uses ClickFix-style social engineering and forced interaction loops to coerce victims into entering their system password, steals credentials, browser data, password-manager data, cryptocurrency wallet material, shell histories, and other system information, exfiltrates data via Telegram, and can install persistence plus a remote-access backdoor.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.