- Group-IB Unveils ClickLock, a New macOS-Focused Infostealer That Uses Aggressive Social Engineering by Spamming Password Prompts and Quitting Key Apps Every 210ms Until Victims Comply
- Once the credentials are obtained, it exfiltrates browser data, crypto wallets, password manager entries, FTP configurations and device information via the Telegram Bot API
- Active since May 2026, seen in 33 countries (mostly Europe), distributed via ClickFix campaigns and initially undetected by security vendors until recently
Security researchers from Group-IB have revealed a new infostealer targeting primarily macOS users in Europe.
Called ClickLock, it’s more of an annoying social engineering mechanism rather than a full-blown malware variant that constantly pops up a login prompt on the victim’s device until they finally comply and share the credentials.
Every 210 milliseconds it terminates key apps on the device (Finder, Dock, TERminal, etc.), essentially rendering it useless. At the same time, it keeps asking for a password dialog on the screen, ensuring that the victim can do nothing but provide the credentials.
Targeting Europeans
The loop is set to continue for more than three days in a row or until the victim succumbs.
After getting the keys to the kingdom, the malware goes to work and starts exfiltrating valuable information.
This includes data from key browsers (Chrome, Firefox, Brave and others), saved logins, cookies, autofill data and other browser information, data associated with cryptocurrency wallets and extensions, encrypted wallet vault material that can be cracked off-site, data from password managers, cached cryptocurrency addresses across EVM, Stack, Bitcoin, Solana, shell history, FRONT, Bitcoin, TONll, history. configuration and recent server data and basic device information. Everything is then packed into a .ZIP archive and exfiltrated via a Telegram Bot API.
Group-IB says the campaign has been active since at least May 2026, so it’s been active for a few months now. A researcher submitted a variant to VirusTotal in early June, but it remained undetected by all security vendors until recently, Group-IB says.
So far, it has been seen in 33 countries, more than half of which are in Europe, it also added. The malware is most likely being distributed via a ClickFix social engineering campaign and has not been tied to any specific threat actor.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



