This new Mac malware prevents you from using your computer until you provide your password.
A recently identified strain of macOS malware is elevating social engineering tactics to a troubling degree. Rather than targeting a software flaw or discreetly stealing data, it simply restricts access to your Mac until you enter your login password.
Named ClickLock, this malware persistently shuts down critical macOS processes, disables notifications, presents authentic-looking Apple password prompts, and effectively entraps users in a cycle that only finishes when the right password is inputted. Upon doing so, it not only captures the password but also seeks to obtain browser data, cryptocurrency wallets, saved credentials, password managers, and more.
According to a report from BleepingComputer, researchers at Group-IB have noted that the malware has infected at least 100 systems in 33 countries since May. Alarmingly, when it was first submitted to VirusTotal in June, none of the security tools on the platform flagged it as malicious.
ClickLock doesn’t compromise your Mac—it compromises you.
In contrast to many contemporary malware campaigns that use zero-day vulnerabilities or privilege escalation tactics, ClickLock operates through psychological manipulation. The infection is thought to start with a ClickFix-style attack, where users are deceived into copying and pasting a command into Terminal under the pretext of completing a Cloudflare “human verification” task. While a phony verification progress bar distracts the victim, the malware discreetly downloads its payload.
Simultaneously, it disables keyboard interrupts, conceals the Terminal cursor, and suppresses macOS Notification Center alerts for nearly six hours, making it significantly more challenging for victims to notice any unusual activity.
The malware’s most alarming feature follows. It presents what seems to be a legitimate macOS password dialog, complete with the user’s actual account name and Apple branding. If the victim inputs the correct system password, ClickLock immediately verifies it and transmits the credentials to the attackers via Telegram.
If the user declines, the malware persists. Instead of relenting, it installs persistence mechanisms that activate after the next login. Once triggered, ClickLock starts terminating essential macOS processes every 210 milliseconds, affecting Finder, Dock, Terminal, Activity Monitor, Console, System Settings, Spotlight, and even well-known web browsers.
The outcome is a Mac that appears nearly entirely inoperable, displaying only the password prompt on screen. Group-IB reports that this loop can last over 83 hours, or until the victim finally relents.
It seeks much more than just your password.
The login password is merely the starting point. ClickLock also tries to deceive victims into granting approval for a legitimate Keychain access prompt, which allows permission to Chrome’s Safe Storage key. This key can later be utilized to decrypt saved passwords, cookies, and autofill data from Chromium-based browsers.
The malware’s data-extraction module targets a broad spectrum. It seeks browser profiles from Chrome, Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Chromium, capturing saved passwords, cookies, bookmarks, browsing sessions, local storage, and autofill details.
Users of cryptocurrency face an even higher threat. ClickLock looks for browser wallet extensions, desktop wallet files, encrypted wallet vaults, and cached wallet addresses across major blockchain systems, including Bitcoin, Ethereum-compatible chains, Solana, TRON, TON, and Stacks.
It also gathers FileZilla FTP configurations, shell history, basic system data, and public IP addresses, then compresses all this into ZIP files and uploads the stolen information via the Telegram Bot API. To ensure attackers have enduring access, ClickLock employs a modified version of the open-source GSocket tool, establishing a persistent backdoor for remote control of the compromised Mac. Unlike other malware components that erase themselves post-execution to limit forensic traces, this backdoor remains active within the system.
The stealth tactics do not stop there. Researchers indicate that the malware is hosted on compromised yet otherwise legitimate websites, helping it evade reputation-based security measures. Its payloads also self-delete after execution, leaving minimal traces. Nevertheless, Group-IB asserts that defenders can still detect suspicious activities by monitoring for recurrent password dialog boxes produced via osascript, continuous shut-downs of macOS processes, widespread access to browser profile directories, and unusual outbound connections to Telegram.
The most critical takeaway, however, is surprisingly straightforward. If a website prompts you to open Terminal and paste a command to prove your humanity, exit the page without hesitation. No reputable website, including Cloudflare, requires Terminal access for human verification. Moreover, if your Mac suddenly becomes inoperable and repeatedly requests your system password, resist the compulsion to comply. Instead, force a shutdown using the power button, restart in Safe Mode, and investigate the system before providing any credentials. In the case of ClickLock, your password won’t resolve the issue; it’s precisely what the attackers are hoping for.
Other articles
This new Mac malware prevents you from using your computer until you provide your password.
ClickLock is a new malware for macOS that persistently terminates system processes and deceives victims into providing their login passwords to capture sensitive information.
