New macOS Malware Exploits Social Engineering Tactics to Compromise Users
A new variant of macOS malware has come to attention, known as the ClickLock Stealer. This malware employs a particularly insidious strategy that combines a paste-a-command social engineering technique derived from the ClickFix phishing scheme with a coercion routine that effectively locks victims out of their machines until they comply with password demands.
Recent research conducted by Group-IB, released on June 16, highlights that the ClickLock Stealer has impacted more than 100 victims across 33 countries within a span of approximately two months, with a significant number of these cases occurring in Europe. Notably, the first sample of this malware was uploaded to VirusTotal on June 9 and alarmingly registered zero detections at that time.
Modular Attack Chain
The execution of this malware begins when a user mistakenly pastes a command into the Terminal, which they unintentionally obtained from a ClickFix page. Upon execution, an orchestrator script goes into action, obscuring the cursor and presenting a deceptive Cloudflare progress animation while simultaneously downloading four separate components from two compromised WordPress sites.
Two of these tools are specifically designed for credential theft. A Keychain stealer queries macOS for the Chrome Safe Storage key, which is essentially an AES key used to decrypt cookies and passwords stored in Chrome. Another credential module provides a fake password dialog via AppleScript, validating any passwords entered against the local directory service. Only correct entries are communicated to the malicious operator.
In addition to targeting standard credentials, a third module is tasked with searching for cryptocurrency assets, scanning over 30 wallet extensions, including popular options like MetaMask and Phantom, and extracting encrypted vault fields stored within LevelDB.
The fourth component consists of GSocket, an open-source reverse-shell tool. Strikingly, approximately 80% of its original code has been retained. This component is cleverly disguised as an iCloud process on macOS, creating an added layer of deception.
Forcing Victims to Comply
In scenarios where the victim enters their password promptly, the operator receives this sensitive information along with a system fingerprint. However, if the victim chooses to cancel the prompt, the orchestrator will take more aggressive measures. It installs two LaunchAgents so that both credential theft modules will launch again during the next user login.
Compounding the distressing situation is a programmed "kill loop" that relentlessly targets essential macOS services. It disables Finder, Dock, browsers, Terminal, and Activity Monitor in a tight cycle that can persist for as long as 83 hours. Simultaneously, the Keychain module employs the same mechanism to pressure users into approving the legitimate macOS Keychain dialog, thereby facilitating unauthorized access to sensitive information.
A parallel loop is also active, targeting NotificationCenter for about six hours to suppress any Gatekeeper warnings that may otherwise alert the user to the ongoing attack. Notably, the exfiltration of stolen information occurs entirely over Telegram, employing three separate bots. Worryingly, there is no centralized command-and-control (C2) system overseeing operations, suggesting a decentralized mode of operation that is hard to trace.
Modules associated with this malware craft false timestamps and erase themselves post-exfiltration, leaving behind only the GSocket backdoor, which continues to provide unauthorized access.
Broader Implications for macOS Security
These findings indicate a concerning trend in the evolving landscape of macOS malware, particularly the emergence of the Atomic macOS Stealer (AMOS) family, which recently integrated an embedded backdoor in July 2025. Furthermore, Jamf Threat Labs recently documented another variant, known as CrashStealer, which utilized a signed dropper to bypass Gatekeeper security protocols.
In light of these alarming developments, Group-IB urges users to exercise extreme caution regarding any website that instructs them to paste a command into Terminal, as this is a strong indicator of an attempted attack. In cases where the desktop exhibits aggressive behavior—such as unexpectedly closing applications—users are advised to force-shutdown their computers and start in Safe Mode instead of submitting their passwords. This precaution can help safeguard sensitive information and mitigate potential damage from such threats.

