- Group‑IB discovers ClickLock, a new information stealer focused on macOS that uses aggressive social engineering by sending password prompts and terminating key applications every 210 ms until victims comply.
- Once the credentials are obtained, it exfiltrates browser data, crypto wallets, password manager entries, FTP configurations and device information via the Telegram Bot API.
- Active since May 2026, spotted in 33 countries (mainly Europe), distributed via ClickFix campaigns and initially undetected by security vendors until recently
Security researchers at Group-IB have discovered a new information stealer primarily targeting macOS users in Europe.
Dubbed ClickLock, it’s more of an annoying social engineering mechanism than a full-fledged malware variant, constantly displaying a login prompt on the victim’s device, until they finally comply and share the credentials.
Every 210 milliseconds, it terminates the device’s key applications (Finder, Dock, TErminal, etc.), rendering it essentially useless. At the same time, it keeps asking for a password dialog box on the screen, ensuring that the victim cannot do anything other than provide the credentials.
Target Europeans
The loop should continue for more than three consecutive days, or until the victim goes to bed.
After obtaining the keys to the kingdom, the malware goes to work and begins exfiltrating valuable information.
This includes data from major browsers (Chrome, Firefox, Brave and others), saved logins, cookies, autofill data and other browser information, data related to cryptocurrency wallets and extensions, crypto wallet vault hardware that can be hacked off-site, password manager data, cryptocurrency addresses cached on EVM, Bitcoin, Solana, TRON, TON and Stacks, shell histories, configuration FTP FileZilla and recent server data, as well as basic device information. Everything is then grouped into a .ZIP Archive and exfiltrated via a Telegram Bot API.
Group-IB says the campaign has been active since at least May 2026, so it has been active for a few months now. A researcher submitted a variant to VirusTotal in early June, but it remained undetected by all security vendors until recently, according to Group-IB.
So far, it has been spotted in 33 countries, more than half of which are in Europe, it was also added. The malware is most likely distributed via a ClickFix social engineering campaign and is not linked to any particular malicious actor.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




