A new macOS stealer has been observed pairing the paste-a-command social engineering of a ClickFix lure with a coercion routine that rendered the machine unusable until the victim surrendered their password.
According to new research from Group-IB published on June 16, the malware, dubbed ClickLock Stealer, has hit at least 100 victims across 33 countries in about two months, with more than half in Europe.
The initial sample was uploaded to VirusTotal on June 9 with zero detections.
Read more on macOS ClickFix: Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings
Modular Attack Chain
Execution started when the victim pasted a command into Terminal from what Group-IB assessed was a ClickFix page. An orchestrator script hid the cursor and played a fake Cloudflare progress animation while downloading four components from two compromised WordPress sites.
Two tools handled credential theft. A Keychain stealer queried macOS for the Chrome Safe Storage key, the AES key that decrypts Chrome-stored cookies and passwords offline. A credential module presented a fake password dialog in AppleScript, validating any entered password against the local directory service so only correct ones reached the operator.
A third module hunted for cryptocurrency assets, iterating on more than 30 wallet extensions, including MetaMask and Phantom and extracting encrypted vault fields from LevelDB storage.
The fourth installed GSocket, an open-source reverse-shell tool reused with roughly 80% of its original code, disguised on macOS as an iCloud process.
Forcing the Victim to Comply
If the victim entered the password on first prompt, the operator received it with a system fingerprint. If they canceled, the orchestrator installed two LaunchAgents so both credential modules would be relaunched on the next login.
A kill loop then terminated Finder, Dock, browsers, Terminal and Activity Monitor in a tight cycle running for up to 83 hours, while the Keychain module applied the same pattern to force approval of the real macOS Keychain dialog.
A parallel loop killed NotificationCenter for around six hours to suppress Gatekeeper warnings. Exfiltration ran entirely over Telegram, with three bots and no dedicated command-and-control (C2). Modules forged timestamps and deleted themselves, leaving only the GSocket backdoor.
The findings sit alongside a broader shift in the macOS stealer ecosystem. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025, and Jamf Threat Labs documented CrashStealer using a signed dropper to clear Gatekeeper earlier this week.
Group-IB urged users to treat any website instructing them to paste a command into Terminal as an attack attempt, and to force-shutdown and boot into Safe Mode rather than enter a password if the desktop suddenly starts killing applications.

