ClickLock malware locks Mac users out to steal passwords
ClickLock malware targets Mac users by locking devices and stealing passwords through fake Apple login prompts and social engineering.
A newly identified strain of macOS malware is using an unusual tactic to compromise Apple computers by preventing users from accessing their devices until they enter their login password. Security researchers have warned that the malware, known as ClickLock, relies on social engineering rather than software flaws, making it particularly difficult for unsuspecting users to recognise the attack.
Table Of Content
According to researchers from Group-IB, the malware has infected at least 100 systems across 33 countries since May. It was also reported that when the malware sample was first uploaded to VirusTotal in June, none of the platform’s security engines identified it as malicious. This allowed the threat to spread undetected by many traditional antivirus tools.
Malware relies on deception instead of software flaws
Unlike many modern cyberattacks that exploit vulnerabilities in operating systems or applications, ClickLock relies on convincing users to unknowingly assist in the infection process. Researchers believe the attack begins with a ClickFix-style social engineering technique that presents victims with what appears to be a Cloudflare human verification page.
The fake verification process instructs users to copy and paste a command into the macOS Terminal application to complete the check. While a false progress indicator keeps the victim occupied, the malware silently downloads and installs its components in the background. Rather than exploiting a weakness in macOS itself, the attack succeeds by persuading users to perform the installation manually.
Once active, the malware makes the computer increasingly difficult to use. It repeatedly terminates important macOS processes, suppresses Notification Centre alerts for nearly six hours, disables keyboard interrupts and hides the Terminal cursor. It also displays convincing Apple password prompts that appear legitimate, creating pressure for users to enter their system password to regain control of their computer.
This approach is designed to exploit human behaviour rather than technical weaknesses. Victims may believe the repeated password requests are genuine system prompts intended to restore normal operation, when in reality, entering the correct password gives the attackers exactly what they need.
Password unlock leads to extensive data theft
Entering the correct macOS password does not resolve the issue. Instead, it allows ClickLock to begin collecting a wide range of sensitive information stored on the infected computer.
Researchers found that the malware targets browser data, saved usernames and passwords, cryptocurrency wallets, password managers and other valuable credentials. It also gathers FileZilla FTP configuration files, shell command history, basic system information and the device’s public IP address. The stolen information is compressed into ZIP archives before being transmitted to attackers through the Telegram Bot API.
To maintain long-term access to compromised systems, ClickLock installs a modified version of the open-source GSocket tool. This creates a persistent backdoor that allows attackers to remotely access and control the infected Mac even after other parts of the malware remove themselves from the system.
Most of the malware’s components are programmed to delete themselves after completing their tasks, reducing the amount of forensic evidence left behind. However, the remote access backdoor remains active, giving attackers an ongoing presence on the compromised device.
Researchers advise users to avoid Terminal verification requests
Group-IB researchers also highlighted several techniques ClickLock uses to avoid detection. The malware is hosted on compromised but otherwise legitimate websites, helping it bypass reputation-based security systems that typically block known malicious domains.
Although many malware files self-destruct after execution, security teams can still identify signs of infection. Researchers said defenders should watch for repeated password prompts generated via osascript, the continuous termination of macOS processes, unusual access to browser profile folders, and unexpected outbound connections to Telegram servers.
Security experts stressed that the most effective defence is awareness. Legitimate websites, including Cloudflare, do not require users to open Terminal and paste commands to complete human verification. Any webpage requesting this action should be closed immediately.
If a Mac suddenly becomes unresponsive while repeatedly prompting for the system password, users are advised not to enter their credentials. Instead, they should force the computer to shut down using the power button, restart it in Safe Mode and investigate the system before providing any passwords. In the case of ClickLock, entering the login password does not restore normal operation; instead, it gives attackers access to sensitive information stored on the device.





