Security researchers at Group-IB published the first technical analysis of ClickLock — a macOS information stealer that renders an infected Mac unusable by terminating any foreground application every 210 milliseconds until the victim types their system password into a fake authentication dialog. The malware, delivered through ClickFix-style social engineering, has struck at least 100 confirmed victims across 33 countries, with more than half of those targets in Europe.
ClickFix Delivery Chain and the Initial Compromise of macOS Systems
ClickLock reaches victims through a multi-step social engineering sequence that operates entirely outside macOS security prompts until its final stage. Victims encounter fraudulent pages through SEO poisoning, social media promotion, or compromised websites. These pages display fake Cloudflare verification prompts that mimic a legitimate browser security check and instruct the visitor to copy and paste a bash command into macOS Terminal. Executing the pasted command runs ClickLock’s initial stager, placing the malware on the system before any Gatekeeper warning appears. The Terminal paste vector bypasses normal macOS application review because it presents the malicious action as the user’s own keyboard input rather than as an unsigned downloaded file.
How the 210ms Kill Loop Forces the Victim to Hand Over Their Password
Once active, ClickLock’s coercion mechanism terminates any application running in the foreground every 210 milliseconds — a rate fast enough to prevent any app from loading before ClickLock kills it. Every attempt by the victim to open a browser, file manager, or system utility fails instantly. A fake macOS authentication dialog persists on screen, demanding the user’s login password and framing the request as a required security or system authentication step. Because ClickLock eliminates every alternative the victim might try, entering the password into the fraudulent dialog becomes the only apparent path to restoring system function.
Alongside the application kill loop, ClickLock runs a second background process that continuously terminates macOS NotificationCenter for approximately six hours after infection. This component suppresses the Gatekeeper warnings and system notifications that macOS would otherwise display to alert the user to suspicious activity. The six-hour suppression window covers the most critical period of the attack, during which ClickLock collects and exfiltrates credentials while the victim receives no system-generated indication that anything abnormal is occurring.
Keychain, Browser Credentials, and Crypto Wallets Sent to Three Telegram Bots
After the victim’s password is collected, ClickLock harvests a broad set of credential and key stores. The malware targets macOS Keychain — which holds passwords, certificates, and encryption keys — along with browser credentials and cookies from Chromium-based browsers and Firefox. It also extracts password manager data, cryptocurrency wallet browser extensions, blockchain address information across six chains, FTP credentials, and shell history. Stolen material is packaged into an archive and dispatched through three separate Telegram bots, distributing the data across multiple Telegram destinations for what the researchers assessed as likely redundancy or operational compartmentalization.
GSocket Backdoor and Dual LaunchAgents Ensure Persistent Remote Access
ClickLock’s post-theft persistence begins with two LaunchAgents installed during infection: one registered as com.authirity.plist and another as com.chromer.plist. Both agents survive a system restart, ensuring the app-kill coercion loop and credential harvesting components remain active across subsequent sessions. Beyond persistence of the initial stager, ClickLock installs a backdoor component named “goyim” that Group-IB assessed as derived from the GSocket open-source tunneling toolkit. This backdoor provides the attacker an ongoing remote access channel into the compromised Mac after the initial data theft phase concludes — a capability that extends the compromise from a one-time credential theft into an open foothold.
Campaign Scope: 100-Plus Victims, 33 Countries, Zero Initial Detection
Group-IB confirmed more than 100 victims across 33 countries at the time of publication, with over half of confirmed targets located in Europe. The first submission of ClickLock samples to VirusTotal on June 9, 2026 produced zero detections across all security engines on the platform at that time. No specific threat actor has been attributed to ClickLock’s development or operation in Group-IB’s published analysis.
The ClickFix delivery method that ClickLock depends on has appeared in a growing number of macOS and Windows malware campaigns throughout 2026. Its continued effectiveness reflects a straightforward dynamic: a user who accepts that pasting a command into Terminal is a normal step in fixing a browser problem is already outside the protection that Gatekeeper and application signing provide. ClickLock’s novelty is its coercion mechanism — a system-freezing loop that makes the fake password dialog appear to be the only solution to an immediate, user-visible crisis rather than a suspicious pop-up the user can dismiss.