ClickLock ClickFix macOS targeting campaign
Campaign
Summary
Hide ▲
Show ▼
Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The operation has reached at least 100 victims across 33 countries since May 2026, with more than half in Europe. The malware hid the cursor, showed a fake Cloudflare progress animation, pulled modules from two compromised WordPress sites, stole Keychain and wallet data, and exfiltrated through Telegram. Group-IB also found the orchestrator script had zero detections on VirusTotal when uploaded on June 9.
Related Happenings
ClickFix-based TELEPUZ distribution campaign
Campaign
H score35
First: 16.07.2026 15:50
Last: 16.07.2026 15:50
Sources 1
About this happening:
The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
ClickFix-based TELEPUZ distribution campaign
CampaignAbout this happening: The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
ClickLock Stealer macOS forced-interaction infostealer activity
Malware Activity
H score27
First: 16.07.2026 15:33
Last: 16.07.2026 15:33
Sources 1
How related:
ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password.
About this happening:
ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the ma...
ClickLock Stealer macOS forced-interaction infostealer activity
Malware ActivityHow related: ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password.
About this happening: ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the ma...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The Y2K Operators are running a social-engineering distribution campaign that spreads Millenium RAT through booby-trapped downloads, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The Y2K Operators are running a social-engineering distribution campaign that spreads Millenium RAT through booby-trapped downloads, exposing users to remote compr...
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An international law-enforcement takedown under Operation Endgame disrupted shared infrastructure used by Amadey and StealC, with Microsoft, Europol, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An international law-enforcement takedown under Operation Endgame disrupted shared infrastructure used by Amadey and StealC, with Microsoft, Europol, and i...
Timeline
-
16.07.2026 03:00 1 articles · 15h ago
VirusTotal shows zero detections for the orchestrator script
Technical Analysis UpdateGroup-IB uploaded the orchestrator script to VirusTotal on June 9 and found zero detections when it analyzed the file, indicating the sample was still largely unrecognized by scanners.
Show sources
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password — thehackernews.com — 16.07.2026 15:33
-
16.07.2026 03:00 3 articles · 15h ago
Group-IB discloses a ClickLock campaign spanning 33 countries
Initial DisclosureGroup-IB says the ClickLock campaign has reached at least 100 targets across 33 countries since May 2026, with more than half in Europe, indicating an active macOS ClickFix operation targeting victims for password and credential theft.
Show sources
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password — thehackernews.com — 16.07.2026 15:33
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password — thehackernews.com — 16.07.2026 15:33
- Modular macOS Stealer Uses Kill Loops to Force Password Entry — www.infosecurity-magazine.com — 16.07.2026 16:30