ClickLock macOS stealer kills apps every 210ms until victims give up password

A new infostealer called ClickLock holds macOS desktops hostage by repeatedly killing applications until the user types their login password.

CSBadmin
1 Min Read

A new macOS infostealer called ClickLock Stealer takes an unusually aggressive approach to credential theft: it kills the victim applications on a 210-millisecond loop until they hand over their login password.

Discovered by Group-IB researchers, ClickLock arrives as a command pasted into Terminal via ClickFix social engineering. It presents a fake system dialog asking for the password. When the victim cancels, the malware silently installs two LaunchAgents and exits, waiting for the next login to spring its trap.

Upon reboot, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and major browsers begin crashing every 210 milliseconds for up to 83 hours. The only thing left on screen is a password prompt. Type the correct password, and the malware exfiltrates the Keychain, browser credentials, and cryptocurrency wallets.

Group-IB telemetry shows at least 100 victims across 33 countries since May, with over half in Europe. The orchestrator script had zero detections on VirusTotal when researchers analyzed it.

The backdoor component is largely a copy of the open-source GSocket tunneling toolkit. Group-IB recommends anyone affected to revoke active browser sessions and treat every saved password and wallet key as compromised.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.