
RESEARCHERS have identified a new macOS stealer dubbed ClickLock that tricks users into handing over their passwords through social engineering. The malware was first observed on 16 July 2026 and has already compromised over one hundred individuals worldwide.
The malware arrives via compromised websites that lure victims into pasting a seemingly innocuous command which then activates a modular payload capable of pulling saved credentials from Chrome’s Keychain and extracting data from cryptocurrency wallets. In addition, it can harvest session cookies and other browser data to broaden the scope of information stolen.
Once executed, ClickLock initiates a kill loop that repeatedly disables core system functions until the user enters the correct password, after which it exfiltrates the harvested data through Telegram. The payload also includes a disguised reverse shell component that allows attackers to maintain covert access to the infected machine.
Group-IB reports that ClickLock has affected victims in at least thirty three countries, with a noticeable concentration in Europe. The group notes that distribution may rely on SEO poisoning or hijacked web pages that present the malicious command as a legitimate troubleshooting step.
Users should avoid executing any command pasted from an untrusted site, even if it appears to be a harmless instruction. Keeping the operating system and all applications up to date reduces the chance of exploitation through known vulnerabilities. Monitoring for unusual processes that attempt to terminate security services can help detect an infection early.
If a system shows signs of the kill loop, the safest response is to shut down the machine immediately, isolate it from the network, and seek assistance from an incident response team before attempting to restart. Taking these steps limits the attackers’ ability to exfiltrate further data and prevents lateral movement within the environment.