Particle.news

ClickLock Stealer Forces macOS Users to Hand Over Passwords With Kill Loops

Group‑IB warns the modular campaign narrows detection by hosting payloads on legitimate sites with self‑deleting modules, increasing the risk of further targeting.

Overview

  • Researchers traced ClickLock to an orchestrator first seen in early June and say it has hit at least 100 victims across 33 countries since May.
  • The attack begins with a ClickFix‑style lure that tricks users into pasting a command into Terminal which downloads an orchestrator script and four payload modules.
  • If a user cancels a fake password prompt the malware installs LaunchAgents that run sub‑second process‑killing loops (about every 210 ms) for up to 83 hours until the real login password is entered.
  • Harvested data — including Keychain items, Chrome’s Safe Storage key, browser credentials, cookies, password‑manager and crypto wallet artifacts — is archived and exfiltrated to Telegram bots while a modified GSocket backdoor persists for remote access.
  • Group‑IB and other researchers advise never pasting untrusted Terminal commands, force‑shutting down if apps are repeatedly killed, booting to Safe Mode to recover, and treating all saved credentials and wallet keys as compromised while hunting for LaunchAgents, rapid pkill activity, osascript password prompts, and Telegram API calls.