Group-IB reports macOS stealer spread through fake verification pages
ClickLock Stealer uses ClickFix-style prompts to get Mac users to run Terminal commands, then targets passwords, wallets and browser data, Group-IB says.
By Renata Fuchs · Policy Reporter
· 3 min read
Group-IB has reported a previously undocumented macOS information stealer, called ClickLock Stealer, that relies on social engineering rather than software exploits to compromise machines. The security firm said the campaign has been active since around May and has affected at least 100 victims in 33 countries, with more than half of those victims in Europe.
The malware is notable because its operators do not need a vulnerability or elevated privileges to begin the attack, according to Group-IB. Instead, users are pushed through fake verification pages that instruct them to copy a command and paste it into macOS Terminal. That pattern aligns with the ClickFix technique, a social-engineering method that has become more common across malware campaigns.
Group-IB said it found the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9. At the time of upload, the file had no antivirus detections, according to the researchers. The company said the operators appear to use compromised WordPress sites to host payloads and Telegram infrastructure for command and control.
How the attack works
After a victim runs the supplied Terminal command, ClickLock presents what looks like a Cloudflare verification flow, including a fake progress animation, Group-IB said. While the victim sees that interface, the malware downloads additional components in the background.
The stealer then attempts to collect a broad set of local data. Group-IB said ClickLock targets information from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet apps, macOS Keychain, shell history, FTP credentials and blockchain addresses across six chains. The malware also deploys a modified version of the open source GSocket tool to give attackers remote access, according to the firm.
The “locker” part of the name comes from a coercive step in the fake verification process. Group-IB said ClickLock asks for the user’s macOS password. If the victim refuses, the malware repeatedly terminates visible applications, making normal use of the machine difficult. If the password is entered, the theft continues more quietly. If the user reboots, persistence mechanisms are intended to restart the attack, according to the researchers.
Why defenders should care
The campaign is a reminder that macOS threats do not need to clear the bar of a novel exploit to be effective. Group-IB wrote that the attack chain depends on “a single moment of trust”: the user pasting a command into Terminal. That makes signature-only detection weaker, especially when early samples have no antivirus coverage.
Group-IB said the malware appears to remain under active development, based on its code structure and related artifacts. The firm did not identify the operators behind the campaign, disclose the full number of infected devices beyond the “at least 100” figure, or quantify any stolen funds.
For security teams, the indicators are behavioral: unexpected password prompts, repeated forced closure of applications, unusual access to browser stores and saved credentials, and outbound connections that send stolen data through Telegram. For users, the instruction is narrower. A website claiming to be Cloudflare, Google or another verification provider should not be asking anyone to open Terminal and paste a command.
This story draws on original reporting from The Register.