2 min read

ClickLock hammers Macs until users hand over passwords

Group-IB says the macOS-focused ClickLock campaign has hit 33 countries since May 2026, using relentless fake password prompts to steal credentials and data.

Image: TechRadar

A newly identified macOS-focused infostealer is taking an unusually blunt approach: make the Mac so hard to use that victims eventually type in their password. Researchers at Group-IB say the threat, called ClickLock, has been active since at least May 2026 and has been seen in 33 countries, with more than half of the detections in Europe.

According to Group-IB, ClickLock does not rely on exploits or elevated privileges. Instead, it leans on aggressive social engineering. The malware repeatedly displays a login prompt while killing core macOS apps including Finder, Dock, and Terminal every 210 milliseconds, effectively making the machine unusable until the victim gives in. The loop can continue for more than three straight days.

Once credentials are entered, ClickLock begins collecting and exporting data. Group-IB says that includes:

  • browser data from Chrome, Firefox, Brave, and others
  • saved logins, cookies, and autofill information
  • cryptocurrency wallet and extension data
  • encrypted wallet vault material that can be cracked off-site
  • password manager data
  • cached crypto addresses across EVM, Bitcoin, Solana, TRON, TON, and Stacks
  • shell histories
  • FileZilla FTP configuration and recent-server data
  • basic device information

The stolen data is packed into a .ZIP archive and sent out through the Telegram Bot API.

Recommended reading

FBI says Steam malware games stole $220,000 in crypto

Group-IB says a researcher uploaded a sample to VirusTotal in early June, but the variant went undetected by security vendors until recently. The company believes the malware is most likely being spread through ClickFix social-engineering campaigns, and it has not been linked to a specific threat actor.

Best antivirus software header
Best antivirus software header
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading