ClickLock Stealer macOS forced-interaction infostealer activity
Malware Activity
Summary
Hide ▲
Show ▼
ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the malware hit at least 100 victims across 33 countries in about two months, with more than half in Europe. It can drop LaunchAgents if the prompt is canceled, then run a coercion loop that keeps killing apps and can lock the desktop for up to 83 hours while stealing the login password, Keychain material, browser data, and crypto wallets. Exfiltration runs through Telegram rather than dedicated C2, and the initial sample was uploaded to VirusTotal on June 9 with zero detections.
Related Happenings
ClickFix-based TELEPUZ distribution campaign
Campaign
H score35
First: 16.07.2026 15:50
Last: 16.07.2026 15:50
Sources 1
About this happening:
The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
ClickFix-based TELEPUZ distribution campaign
CampaignAbout this happening: The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
ClickLock ClickFix macOS targeting campaign
Campaign
H score33
First: 16.07.2026 15:33
Last: 16.07.2026 15:33
Sources 1
How related:
According to new research from Group-IB published on June 16, the malware, dubbed ClickLock Stealer, has hit at least 100 victims across 33 countries in about two months, with more than half in Europe.
About this happening:
Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The o...
ClickLock ClickFix macOS targeting campaign
CampaignHow related: According to new research from Group-IB published on June 16, the malware, dubbed ClickLock Stealer, has hit at least 100 victims across 33 countries in about two months, with more than half in Europe.
About this happening: Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The o...
CrashStealer macOS information stealer activity
Malware Activity
H score10
First: 13.07.2026 20:36
Last: 13.07.2026 20:36
Sources 1
About this happening:
CrashStealer is a macOS information-stealing malware that was tracked in May and seen in attacks in early July. It impersonates Apple's crash-reporting tool by...
CrashStealer macOS information stealer activity
Malware ActivityAbout this happening: CrashStealer is a macOS information-stealing malware that was tracked in May and seen in attacks in early July. It impersonates Apple's crash-reporting tool by...
BusySnake Stealer Windows information-theft activity
Malware Activity
H score30
First: 03.07.2026 16:36
Last: 03.07.2026 16:36
Sources 1
About this happening:
The BusySnake Stealer malware is being used against Windows systems to steal browser cookies, passwords, documents, screenshots, wallet files, and Telegram data, increasin...
BusySnake Stealer Windows information-theft activity
Malware ActivityAbout this happening: The BusySnake Stealer malware is being used against Windows systems to steal browser cookies, passwords, documents, screenshots, wallet files, and Telegram data, increasin...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
Timeline
-
16.07.2026 15:33 3 articles · 2h ago
ClickLock Stealer macOS forced-interaction infostealer activity
Initial DisclosureThe delivery phase uses a ClickFix-style paste into Terminal and a fake system dialog to push the victim toward running the payload. If the user cancels, the script drops LaunchAgents and exits before the coercion loop begins.
Show sources
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password — thehackernews.com — 16.07.2026 15:33
- New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password — thehackernews.com — 16.07.2026 15:33
- Modular macOS Stealer Uses Kill Loops to Force Password Entry — www.infosecurity-magazine.com — 16.07.2026 16:30