Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

The Hacker News by The Hacker News
July 16, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


ClickLock Stealer, a new macOS infostealer, answers a victim’s refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits.

At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and the major browsers start dying every 210 milliseconds, for up to 83 hours, leaving one password box on a dead desktop. Type it, and the machine gives up the Keychain, the browser credentials, and the crypto wallets.

Group-IB’s telemetry counts at least 100 targets across 33 countries since May, over half of them in Europe. Its analysts assume from the code structure that the malware is still under development. Uploaded to VirusTotal on June 9, the orchestrator script had zero detections there when Group-IB analyzed it.

And the analysts never found the front door. They have the whole payload chain and not one of the lure pages. The IOC list carries three compromised payload hosts and no lure domain: the landing page design, the domains serving it, and whatever drives traffic to them are all unconfirmed.

A completed run leaves the operator holding the validated macOS login password, Chrome’s Safe Storage AES key, and a ZIP with browser credentials and cookies, crypto wallet extension storage, desktop wallet files, password manager vaults, the Keychain, shell history, and FileZilla’s saved server credentials.

The Safe Storage key is the one that lasts. It encrypts Chrome’s saved passwords and cookies on disk, so Login Data and Cookies are decrypted offline, on the attacker’s machine, whenever they get to it. Group-IB’s advice to anyone who ran this: revoke active browser sessions, treat every saved password, cookie, and wallet key as gone, and change them.

Comply now, or comply at next login

The refusing user is not an edge case. They are what the design is for. Cancel the first dialog, and the script drops com.authirity.plist and com.chromer.plist into ~/Library/LaunchAgents/, then leaves.

The first fires the 210-millisecond kill loop until a password lands. The second launches its own kill loop at 0.2-second intervals for up to 3,000,000 seconds, roughly 34.7 days, while a background process queries the Keychain for Chrome’s Safe Storage key every half second.

That query raises a real macOS prompt, and the loop holds the desktop hostage until the victim approves it. Activity Monitor and Terminal are on both kill lists. A third loop kills NotificationCenter for six hours, so no Gatekeeper warning renders. If Terminal lacks Full Disk Access, the orchestrator opens System Settings to the right pane and walks the victim through granting it.

The front end is ClickFix. Group-IB assesses that with high confidence and has never seen it. The script takes a RAY_ID as its first argument and opens with a fake Cloudflare CAPTCHA banner over a progress bar cycling twelve status lines in ten seconds. Neither does anything. They exist to reassure someone who has just pasted a command into a terminal.

Underneath, script.sh disables keyboard interrupts, hides the cursor, and pulls four payloads from two compromised sites. Two pipe straight into bash. Two land in a hidden $HOME/.cacheb/. The soft ask is an osascript dialog wearing a downloaded Apple icon and the victim’s real username, and whatever gets typed is checked against dscl /Local/Default -authonly first, so only a working password is worth sending.

Almost none of that is new. Microsoft documented the same dscl validation in SHub Stealer in May, alongside AMOS and MacSync in the same wave of macOS ClickFix campaigns. Telegram exfil and LaunchAgent persistence are boilerplate.

The backdoor, goyim, is roughly 80 percent a copy of the public deploy script for GSocket, an open-source tunneling toolkit from The Hacker’s Choice. Its authors pitch the gs-netcat component as an encrypted reverse backdoor that needs no C2 server of its own. It rides a relay instead.

Group-IB traced this copy to an operator relay at gsnc[.]eu:67, with the binary pulled from gsocket.io itself. The stealer payloads sit on three compromised domains with clean reputations, one of them a hacked WordPress site, and the haul leaves through three Telegram bots. Group-IB observed no dedicated command-and-control infrastructure.

On macOS, the binary lands as iCloud in ~/Library/Application Support/iCloudsync and the process runs as SystemUIServerl, one letter off the real one.

Apple already tried to shut this door

macOS 26.4 shipped in late March. It warns when Terminal sees suspicious paste activity and blocks outright anything it recognizes as known malware, a mitigation Microsoft points to as a direct answer to ClickFix delivery.

Apple’s own documentation shows how much room it left: the warning only fires if you do not regularly use Terminal, and it ships with a Paste Anyway button. The hard block needs macOS to already know the malware.

Two campaigns went through that room within weeks, in opposite directions. Jamf Threat Labs documented one in April that avoids the paste entirely, using an applescript:// URL to open Script Editor with the payload preloaded, so the check never fires. Jamf’s Thijs Xhaflaire wrote that “when one door closes, attackers find another.” ClickLock is the other. It kept the paste and engineered around the person instead.

The coercion loop is the one part with no cover story. Group-IB does not hedge on the sub-second pkill and killall bursts against Finder, Dock, SystemUIServer, and NotificationCenter: “this behavior is unique to forced-interaction malware and has no legitimate use case.”

The rest of the signal set:

  • security find-generic-password called from a shell script rather than a browser
  • osascript spawning password dialogs with icons pulled from /tmp/
  • Bulk reads of browser profile directories followed by traffic to api.telegram.org
  • curl piped into bash where the URL ends in .jpg, .txt or .css
  • LaunchAgent creation in ~/Library/LaunchAgents/ by a shell process, paired with launchctl load

If a Mac starts killing its own apps and leaves a password box on screen, do not type the password. No verification page needs your Terminal. Cloudflare’s check runs in the browser, which is the entire point of it.

Group-IB says to hold the power button until the machine shuts down, then start up in Safe Mode, and its Shift-at-startup step is the Intel procedure only. On Apple silicon, hold the power button until “Loading startup options” appears, select the volume, then hold Shift and click Continue in Safe Mode.

Cleanup is uneven. The stealer modules unload their own LaunchAgents, forge their timestamps off ~/Movies to break timeline analysis, and delete themselves. goyim does not. Sit through the loop, type the password, watch the desktop come back, and what is left is a machine that looks fine with a reverse shell on it, running as SystemUIServerl out of ~/Library/Application Support/iCloudsync.

ClickLock’s operators launched in May, a month into the warning’s life, and built for the paste. Whether one of Group-IB’s targets ever saw it is the thing the report does not say.

The Hacker News has asked Group-IB for the macOS version breakdown behind those targets and will update this story with any response.



Source link

The Hacker News

The Hacker News

Next Post
GVTC Communications Promotes Josh Johnson and Scott Hitt to Vice President Roles

GVTC Communications Promotes Josh Johnson and Scott Hitt to Vice President Roles

Recommended.

Arelion strengthens Baltic connectivity with new resilient route, reducing latency to Western Europe

Arelion strengthens Baltic connectivity with new resilient route, reducing latency to Western Europe

October 20, 2025
How to Close Threat Detection Gaps: Your SOC’s Action Plan

How to Close Threat Detection Gaps: Your SOC’s Action Plan

October 2, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio