ClickLock macOS stealer kills apps until user types password
Group-IB documents ClickLock, a macOS stealer delivered via ClickFix that kills Finder, Dock, and browsers on a 210ms loop until the victim types their login password.
New macOS infostealer. Named ClickLock. Delivered via ClickFix, coerces the login password by making the machine unusable until the victim types it.
Group-IB published the analysis on July 16 via The Hacker News, citing its own telemetry. Confirmed: at least 100 targets across 33 countries since May 2026. Uploaded to VirusTotal on June 9, 2026. Attribution: financially motivated, otherwise unconfirmed — treat accordingly.
Chain — reported, not reproduced
Fake Cloudflare CAPTCHA lure over a progress bar. The victim is walked into pasting a command into Terminal. Four payloads pull from compromised sites via a script.sh stager. Group-IB has published three compromised payload-host IoCs; the lure domains themselves are not confirmed. The paste-into-Terminal step is the entire social-engineering surface — nothing in the class is novel, ClickFix has been the delivery vector of the month for two quarters now. What’s new is what runs after.
The coercion loop
The stealer presents a fake system password dialog. If the victim cancels — which is what most people do — the malware installs two LaunchAgents in ~/Library/LaunchAgents/:
com.authirity.plist— primary kill loop at 210ms intervalscom.chromer.plist— secondary loop at ~0.2s intervals
At next login, Finder, Dock, Spotlight, Terminal, Activity Monitor, SystemUIServer, NotificationCenter, and the major browsers get killed on that loop. Every launch dies inside a fifth of a second. The password dialog returns. Group-IB’s read is that a non-technical victim will type the password to make the machine work again. That’s the mechanism the name is pointing at — the click is locked, not the malware.
Once the login password is captured, ClickLock validates it against the local account and pulls:
- Chrome Safe Storage AES key and browser credentials, cookies, autofill
- Crypto wallet extension storage and desktop wallet files
- Password-manager vaults
- Keychain contents
- Shell history and FileZilla server credentials
Exfil goes to an operator relay at gsnc[.]eu:67 and three Telegram bots.
What to do
Block the ClickFix pattern at the edge — every published ClickFix chain routes through a fake-CAPTCHA lure and a Terminal paste. If you have EDR on Mac fleets, alert on new .plist files landing in ~/Library/LaunchAgents/ outside of package installation windows; both of ClickLock’s persistence files land there. Group-IB’s three compromised payload hosts and the gsnc[.]eu relay are the confirmed IoCs; the lure infrastructure is not.
If a user reports Finder or the Dock crash-looping and the machine only came back after they typed their password into an unfamiliar dialog — assume the credential is gone. Rotate everything the login password reached, including anything the Keychain unlocked automatically for that account.
Found this useful? Share it.


