New ClickLock Stealer macOS Malware Spread via ClickFix Campaign

Malware laptop

Executive Summary

On 9 June 2026, Group-IB Threat Intelligence reported a malicious shell script uploaded to VirusTotal assessed as a new modular macOS stealer likely distributed via ClickFix phishing pages, relying on compromised WordPress domains and Telegram infrastructure, with a strong European victim focus.

According to Group-IB, a ClickLock Stealer operation has already targeted at least 100 victims across 33 countries, with more than 50% from Europe, and has been active for approximately two months since May 2026.

Notably, the malware does not require elevated privileges or exploits for successful execution.

Key Takeaways

  • ClickLock Stealer targets data from 8 browsers, 31 crypto wallet browser extensions, 7 password manager extensions, 8 desktop wallet applications, extracts blockchain addresses across 6 chains, macOS Keychain, shell history, and FTP credentials.
  • Upon execution of a ClickFix command, the malicious script shows a terminal-based loading animation mimicking a Cloudflare progress bar with browser verification flow, while the malware orchestrates modules that search the system for browser credentials, password manager data, crypto wallet extensions, desktop wallet files, and employs a GSocket backdoor.
  • The victim is forced to follow the attack flow and enter a password, because otherwise the malware “locks” the system by killing all visible processes except the Terminal, giving the malware its name, ClickLock Stealer.
  • After modules complete their objectives, they forge timestamps, remove their persistence mechanisms, and self-delete, with the exception of the GSocket backdoor, which remains permanently installed. The attacker ends up with the macOS login password, Chrome’s encryption key, a full archive of stolen data, and a persistent backdoor.
  • Based on the code structure and other observed artifacts, the malware is assessed to still be under development.

MITRE ATT&CK TTPs

  • Initial Access (T1204.004 – Malicious Copy and Paste): The kill chain starts once the user pastes the command into Terminal. The orchestrator script (script[.]sh) disables keyboard interrupts, shows a fake Cloudflare animation, and downloads four components: a credential stealer (zsh[.]txt), a Keychain stealer (chrome[.]txt), a crypto-focused stealer (finderv2.jpg) from compromised WordPress infrastructure, and a GSocket-based backdoor installer (goyim).
  • Credential Theft (T1056.002 – GUI Input Capture): A fake macOS password dialog is built with osascript. If the user complies, the password is validated and sent to Telegram immediately.
  • Persistence (T1543.001 – Launch Agent): Both plist[.]css and chrome[.]js create LaunchAgent .plist files in ~/Library/LaunchAgents/. Any plist with RunAtLoad set to true automatically executes on user login, meaning even if the user reboots, the modules activate on the next login.
  • Keychain Extraction (T1555.001): The extracted key is the AES encryption key used by Chromium-based browsers to encrypt locally stored cookies, passwords, and autofill data. Possession of this key allows offline decryption of Chrome Login Data and Cookies SQLite databases.
  • Backdoor Installation (T1543.001): On macOS, the GSocket binary is disguised as iCloud within ~/Library/Application Support/iCloudsync, with the process masquerading as SystemUIServerl. The script leverages GSocket’s built-in persistence via crontab injection, shell RC file infection, and LaunchAgent creation.
  • Exfiltration (T1567.002): The stolen key file and system profile are exfiltrated to an attacker-controlled Telegram bot via the sendDocument API method. Telegram serves as a lightweight C2 channel requiring no attacker-controlled infrastructure while providing encrypted transport unlikely to be blocked by network filters.

Indicators of Compromise (IOCs)

File Hashes (SHA1)

Component

Filename

SHA1

Orchestrator

script.sh

d9617710d4ed8e9b87f6fee0b7014c4101effba0

Keychain Stealer

Chrome[.]txt

b67aa4f598c0ea625a7409ea7884e10a7bc9c3ff

Credential Stealer

Zsh[.]txt

8dda05168ea8610a2449419a47517bc32823d6ec

Crypto Stealer

finderv2[.]jpg

0a1fb016bd10bac5455175c79aa4511e5ff1a330

GSocket Backdoor

goyim

2fc970e25570532f9cbe33b7ebfe1f0383a7341a

Network Indicators (Obfuscated)

  • panalobet[.]ph – hosts chromer.txt, zsh.txt, finderv2.jpg, deng.php
  • store.grafsynergy[.]com – hosts goyim backdoor installer
  • cottonbox[.]co[.]il – hosts additional payload (hbd)

File System Artifacts

  •  ~/Library/LaunchAgents/com[.]authirity[.]plist
  •  ~/Library/LaunchAgents/com[.]chromer[.]plist
  • $HOME/[.]cacheb/ (hidden staging directory)

Mitigation Options

  • Monitor for osascript processes spawning password dialogs with custom icons, particularly when the icon is sourced from /tmp/ or other unusual locations.
  • Alert on rapid, repeated pkill or killall activity targeting system processes (Finder, Dock, SystemUIServer, NotificationCenter) at sub-second intervals, as this behavior is unique to forced-interaction malware.
  • Detect bulk access to browser profile directories followed by outbound connections to api[.]telegram[.]org or archive creation. Consider blocking or alerting on curl piped directly to bash, especially when source URLs use misleading file extensions (.jpg, .txt, .css).
  • Deploy endpoint detection tools capable of behavioral analysis rather than relying solely on signature-based detection. This sample had zero VirusTotal detections at discovery, meaning static analysis tools provided no protection.
  • Implement TCC (Transparency, Consent, and Control) monitoring to detect unexpected Full Disk Access grants, particularly to Terminal[.]app or shell interpreters.

More Recent Blog Posts

Executive Summary In the last two years, ClickFix tactics have moved from a one-off social engineering trick into an industrialized attack ecosystem that...

Executive Summary On 13 July 2026, Microsoft researchers published details of a ShinyHunters campaign active between mid-2025 and mid-2026 targeting customer SaaS-based applications,...

Executive Summary On 02 July 2026, SOCRadar researchers linked the financially-motivated campaign dubbed “FortiBleed” to the Ransom and Lynx ransomware operations, marking the...