New macOS stealer locks your Mac until you type your password

Researchers at Group-IB have discovered a new macOS infostealer that turns a victim's own hesitation against them: if the user stalls on handing over their password, the malware kills every visible app until they comply. Dubbed ClickLock Stealer, it blends the increasingly common ClickFix lure with a screen-locking extortion twist, and it surfaced on VirusTotal in June 2026 with zero antivirus detections.

How victims get infected

ClickLock is spread through ClickFix pages, fake verification screens that instruct visitors to copy a command and paste it into the macOS Terminal. Group-IB has counted at least 100 victims across 33 countries, more than half of them in Europe, in a campaign running since May 2026. Notably, the malware needs no exploits and no administrator rights to succeed.

How the attack works

Once the pasted command runs, an orchestrator script displays a fake Cloudflare CAPTCHA progress bar cycling through reassuring messages like "Verifying you are not a bot" while it quietly downloads its modules in the background from compromised WordPress sites. If the victim does not enter their password when prompted, the script locks the Mac by terminating all visible processes except the Terminal, pressuring them to type it. With the login password and the browser encryption key in hand, the attacker can decrypt stored credentials offline at leisure. ClickLock hunts data from 8 browsers, 31 cryptocurrency wallet extensions, 7 password-manager extensions, 8 desktop wallet apps, the macOS Keychain, shell history, and saved FTP logins. It also installs a GSocket-based backdoor that stays behind for persistent access after the rest of the malware deletes itself.

What you should do

Never paste a command into Terminal because a web page told you to, no matter how official the verification screen looks; that single action is the entire attack. This is the same playbook seen in fake Apple security update lures and counterfeit Mac app installers.

Indicators of compromise (defanged)

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions