Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickLock ClickFix macOS targeting campaign

Campaign
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The operation has reached at least 100 victims across 33 countries since May 2026, with more than half in Europe. The malware hid the cursor, showed a fake Cloudflare progress animation, pulled modules from two compromised WordPress sites, stole Keychain and wallet data, and exfiltrated through Telegram. Group-IB also found the orchestrator script had zero detections on VirusTotal when uploaded on June 9.

Related Happenings

ClickFix-based TELEPUZ distribution campaign

Campaign
H score35 First: 16.07.2026 15:50 Last: 16.07.2026 15:50 Sources 1

About this happening: The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...

ClickLock Stealer macOS forced-interaction infostealer activity

Malware Activity
H score27 First: 16.07.2026 15:33 Last: 16.07.2026 15:33 Sources 1

How related: ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password.

About this happening: ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the ma...

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...

Y2K Operators Millenium RAT social-engineering distribution campaign

Campaign
H score73 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

About this happening: The Y2K Operators are running a social-engineering distribution campaign that spreads Millenium RAT through booby-trapped downloads, exposing users to remote compr...

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An international law-enforcement takedown under Operation Endgame disrupted shared infrastructure used by Amadey and StealC, with Microsoft, Europol, and i...

Timeline

  1. 16.07.2026 03:00 3 articles · 15h ago

    Group-IB discloses a ClickLock campaign spanning 33 countries

    Initial Disclosure

    Group-IB says the ClickLock campaign has reached at least 100 targets across 33 countries since May 2026, with more than half in Europe, indicating an active macOS ClickFix operation targeting victims for password and credential theft.

    Show sources