Executive Summary
On 9 June 2026, Group-IB Threat Intelligence reported a malicious shell script uploaded to VirusTotal assessed as a new modular macOS stealer likely distributed via ClickFix phishing pages, relying on compromised WordPress domains and Telegram infrastructure, with a strong European victim focus.
According to Group-IB, a ClickLock Stealer operation has already targeted at least 100 victims across 33 countries, with more than 50% from Europe, and has been active for approximately two months since May 2026.
Notably, the malware does not require elevated privileges or exploits for successful execution.
Key Takeaways
- ClickLock Stealer targets data from 8 browsers, 31 crypto wallet browser extensions, 7 password manager extensions, 8 desktop wallet applications, extracts blockchain addresses across 6 chains, macOS Keychain, shell history, and FTP credentials.
- Upon execution of a ClickFix command, the malicious script shows a terminal-based loading animation mimicking a Cloudflare progress bar with browser verification flow, while the malware orchestrates modules that search the system for browser credentials, password manager data, crypto wallet extensions, desktop wallet files, and employs a GSocket backdoor.
- The victim is forced to follow the attack flow and enter a password, because otherwise the malware “locks” the system by killing all visible processes except the Terminal, giving the malware its name, ClickLock Stealer.
- After modules complete their objectives, they forge timestamps, remove their persistence mechanisms, and self-delete, with the exception of the GSocket backdoor, which remains permanently installed. The attacker ends up with the macOS login password, Chrome’s encryption key, a full archive of stolen data, and a persistent backdoor.
- Based on the code structure and other observed artifacts, the malware is assessed to still be under development.
MITRE ATT&CK TTPs
- Initial Access (T1204.004 – Malicious Copy and Paste): The kill chain starts once the user pastes the command into Terminal. The orchestrator script (script[.]sh) disables keyboard interrupts, shows a fake Cloudflare animation, and downloads four components: a credential stealer (zsh[.]txt), a Keychain stealer (chrome[.]txt), a crypto-focused stealer (finderv2.jpg) from compromised WordPress infrastructure, and a GSocket-based backdoor installer (goyim).
- Credential Theft (T1056.002 – GUI Input Capture): A fake macOS password dialog is built with osascript. If the user complies, the password is validated and sent to Telegram immediately.
- Persistence (T1543.001 – Launch Agent): Both plist[.]css and chrome[.]js create LaunchAgent .plist files in ~/Library/LaunchAgents/. Any plist with RunAtLoad set to true automatically executes on user login, meaning even if the user reboots, the modules activate on the next login.
- Keychain Extraction (T1555.001): The extracted key is the AES encryption key used by Chromium-based browsers to encrypt locally stored cookies, passwords, and autofill data. Possession of this key allows offline decryption of Chrome Login Data and Cookies SQLite databases.
- Backdoor Installation (T1543.001): On macOS, the GSocket binary is disguised as iCloud within ~/Library/Application Support/iCloudsync, with the process masquerading as SystemUIServerl. The script leverages GSocket’s built-in persistence via crontab injection, shell RC file infection, and LaunchAgent creation.
- Exfiltration (T1567.002): The stolen key file and system profile are exfiltrated to an attacker-controlled Telegram bot via the sendDocument API method. Telegram serves as a lightweight C2 channel requiring no attacker-controlled infrastructure while providing encrypted transport unlikely to be blocked by network filters.
Indicators of Compromise (IOCs)
File Hashes (SHA1)
Component | Filename | SHA1 |
Orchestrator | script.sh | d9617710d4ed8e9b87f6fee0b7014c4101effba0 |
Keychain Stealer | Chrome[.]txt | b67aa4f598c0ea625a7409ea7884e10a7bc9c3ff |
Credential Stealer | Zsh[.]txt | 8dda05168ea8610a2449419a47517bc32823d6ec |
Crypto Stealer | finderv2[.]jpg | 0a1fb016bd10bac5455175c79aa4511e5ff1a330 |
GSocket Backdoor | goyim | 2fc970e25570532f9cbe33b7ebfe1f0383a7341a |
Network Indicators (Obfuscated)
- panalobet[.]ph – hosts chromer.txt, zsh.txt, finderv2.jpg, deng.php
- store.grafsynergy[.]com – hosts goyim backdoor installer
- cottonbox[.]co[.]il – hosts additional payload (hbd)
File System Artifacts
- ~/Library/LaunchAgents/com[.]authirity[.]plist
- ~/Library/LaunchAgents/com[.]chromer[.]plist
- $HOME/[.]cacheb/ (hidden staging directory)
Mitigation Options
- Monitor for osascript processes spawning password dialogs with custom icons, particularly when the icon is sourced from /tmp/ or other unusual locations.
- Alert on rapid, repeated pkill or killall activity targeting system processes (Finder, Dock, SystemUIServer, NotificationCenter) at sub-second intervals, as this behavior is unique to forced-interaction malware.
- Detect bulk access to browser profile directories followed by outbound connections to api[.]telegram[.]org or archive creation. Consider blocking or alerting on curl piped directly to bash, especially when source URLs use misleading file extensions (.jpg, .txt, .css).
- Deploy endpoint detection tools capable of behavioral analysis rather than relying solely on signature-based detection. This sample had zero VirusTotal detections at discovery, meaning static analysis tools provided no protection.
- Implement TCC (Transparency, Consent, and Control) monitoring to detect unexpected Full Disk Access grants, particularly to Terminal[.]app or shell interpreters.