2 min read

ClickLock Stealer traps macOS users with password prompts

ClickLock targets macOS users with relentless password prompts, then steals browser data, crypto wallets, password-manager entries, and device details.

Image: TechRadar

A new macOS infostealer can compromise victims without exploits or elevated access. Group-IB says ClickLock instead relies on aggressive social engineering: it repeatedly displays password prompts while making the affected Mac nearly unusable.

Every 210 milliseconds, the malware terminates key applications including Finder, Dock, and Terminal. The password dialog continues appearing, leaving victims with little practical access to their devices unless they enter their credentials. The cycle can run for more than three straight days, or until the victim complies.

What ClickLock steals

Once it obtains the password, ClickLock collects and packages sensitive data, including:

Recommended reading

Old-school text tricks fool AI spam filters

  • Browser logins, cookies, autofill data, and other information from Chrome, Firefox, Brave, and other browsers
  • Cryptocurrency wallet data, extensions, encrypted vault material, and cached addresses linked to EVM, Bitcoin, Solana, TRON, TON, and Stacks
  • Password-manager data, shell histories, FileZilla FTP configurations, recent-server data, and basic device information

The stolen information is compressed into a .ZIP archive and sent through the Telegram Bot API.

ClickLock campaign activity

Group-IB says the campaign has been active since at least May 2026 and has been observed in 33 countries, with more than half in Europe. A variant submitted to VirusTotal in early June reportedly remained undetected by all security vendors until recently.

Researchers believe ClickLock is likely distributed through ClickFix social-engineering campaigns, although it has not been linked to a specific threat actor.

Best antivirus software header
Best antivirus software header
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

/ Keep reading