Researchers at Group-IB have detailed a new macOS information-stealing malware family called ClickLock that uses forced interaction loops rather than exploits to compromise systems. The malware was found on VirusTotal after first being submitted on June 9, and at the time of analysis it was undetected by every security vendor on the platform. Group-IB says the script has infected at least 100 systems across 33 countries since May.
Infection likely begins through a ClickFix-style lure, where victims paste a malicious command into Terminal. This triggers a fake Cloudflare human verification screen with an animated progress bar while keyboard interrupts are disabled, the cursor is hidden, and stealer modules download silently in the background. The malware also suppresses macOS NotificationCenter for roughly six hours to avoid tipping off the user.
Coercing the password out of victims
ClickLock displays a fake macOS password dialog using the victim’s real username and a spoofed Apple icon. If the password is entered, it is validated and sent to the attacker via Telegram. If the victim cancels, the malware installs persistence through two LaunchAgents (com.authirity.plist and com.chromer.plist) that reactivate at the next login.
From there, a termination loop runs every 210 milliseconds, killing key system apps and browsers such as Finder, Dock, Terminal, Activity Monitor, Console, System Settings, and Spotlight, leaving only the password dialog visible. This loop can persist for up to 300,000 seconds (about 83 hours) until the correct password is entered. A second LaunchAgent runs a parallel mechanism that requests Keychain access to Chrome’s Safe Storage key, which can be used to decrypt stored Chromium passwords and cookies, repeating every 200 milliseconds for nearly 35 days.
Broad data theft and a persistent backdoor
A separate harvesting module targets data from eight browsers (Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Chromium), including logins, cookies, autofill data, and session storage, along with cryptocurrency wallet extensions, encrypted wallet vaults, password manager data, cached addresses across multiple blockchains, shell histories, and FileZilla FTP configurations. Stolen data is zipped and exfiltrated via the Telegram Bot API, with large files split and retry logic for network failures.
The final component is a modified version of the open-source GSocket tool, which installs a persistent backdoor via LaunchAgent, crontab entries, and shell configuration changes, giving attackers a reverse shell. Unlike other modules, which self-delete after execution, GSocket remains on the system.
Detection and defense
Group-IB notes that payloads are hosted on compromised legitimate domains and the script evades VirusTotal detection, but defenders can look for osascript-triggered password dialogs, repeated process termination, mass access to browser profile directories, and outbound Telegram API traffic. Users are urged never to paste Terminal commands from websites, and if the system becomes unresponsive while demanding a password, to force a shutdown and boot into Safe Mode to recover.
