• 2 min read
Mac Stealer Tricks Users Into Pasting Terminal Commands
Group-IB says the newly documented ClickLock Stealer targets macOS users with fake verification pages and data theft across browsers and crypto wallets.

Image: The Register
A newly documented macOS infostealer is spreading without exploiting any software bugs. Instead, according to Group-IB, it tricks users into copying a command from a fake verification page and pasting it into Terminal, then steals passwords, crypto wallets, browser data, and more.
The researchers call it ClickLock Stealer, a reference to the ClickFix social-engineering tactic it uses and a coercive locker feature that pressures victims into entering their Mac login password. Group-IB said the operation has been active since around May and has already hit at least 100 victims across 33 countries, with more than half in Europe.
The security firm said it found the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9, when it had zero antivirus detections. The campaign appears to use fake verification pages, compromised WordPress sites to host payloads, and Telegram for command-and-control.
“The current malware doesn’t even need any elevated privileges or rely on exploits for the successful execution.”
Once the victim runs the pasted command, the malware shows what looks like a Cloudflare verification flow with a fake progress animation while downloading extra components in the background. Group-IB said ClickLock can collect data from:
- 8 browsers
- 31 cryptocurrency wallet browser extensions
- 7 password manager extensions
- 8 desktop wallet applications
- macOS Keychain
- shell history, FTP credentials, and blockchain addresses across 6 chains
It also deploys a modified version of the open source GSocket tool for remote access.

Recommended reading
One in six PCs still run Windows 10
The most aggressive behavior appears when a victim refuses to enter their macOS password. During the fake verification process, the malware prompts for that password; if the user refuses, it repeatedly kills visible applications, making the machine hard to use until they comply. If the Mac is rebooted, persistence mechanisms are designed to resume the attack.
“The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal.”
Group-IB said defenders should watch for behavior rather than signatures, including unexpected password prompts, apps being repeatedly forced closed, unusual access to browser and credential stores, and outbound connections sending stolen data to Telegram. For users, the guidance is simpler: if a page claiming to be Cloudflare, Google, or anyone else tells you to open Terminal and paste a command, close the tab.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


