Decoding the world of cybersecurity

ClickLock puts macOS identity stores at risk

A newly documented macOS stealer targets Keychain records, browser sessions, password managers, wallets, and developer credentials, with more than half of identified victims located in Europe.

ClickLock puts macOS identity stores at risk
Summary
  • Group-IB has identified at least 100 ClickLock victims across 33 countries, with more than half in Europe.
  • The malware targets macOS Keychain data, browser credentials, password managers, wallets, shell history, and FTP details.
  • Distribution through fake verification pages is assessed with high confidence, although the original delivery page was not directly observed.

A newly documented macOS information stealer is targeting credentials and identity material held across browsers, Apple’s Keychain, password managers, cryptocurrency wallets, shell history, and file-transfer applications.

Group-IB has named the malware ClickLock and says it has identified at least 100 victims across 33 countries, with more than half of the observed infections located in Europe.

The researchers found a malicious shell script uploaded to VirusTotal on 9 June 2026 that was not detected by any of the available scanning engines at the time of analysis. Group-IB assesses with high confidence that ClickLock is distributed through ClickFix-style pages, although it did not directly observe the original delivery page.

ClickFix attacks imitate a browser, security, or verification process and instruct the user to copy and execute a command. On macOS, that commonly involves opening Terminal and pasting a shell instruction, placing the malware’s first execution inside an action initiated by the user.

Group-IB’s technical analysis says ClickLock collects information from eight browsers, 31 cryptocurrency-wallet extensions, seven password-manager extensions, and eight desktop wallets. It also seeks macOS Keychain records, shell history, FTP credentials, and blockchain addresses.

Once running, the malware can imitate system prompts, repeatedly close visible applications, suppress notifications, and pressure the user into entering a password or approving access to Keychain material. A modified GSocket component provides a persistent backdoor after the information-stealing modules have completed their work.

A single Mac can hold several layers of trust

A managed Mac used by a developer, administrator, executive, or consultant may contain browser sessions, cloud credentials, password-manager access, shell keys, and command history associated with production systems. Compromise of that endpoint can therefore extend well beyond the files stored locally.

Keychain and browser theft may provide access without requiring the attacker to defeat each service’s login page. Session material can remain valid until it is revoked, while access to a password manager can expose credentials across a much larger application estate.

Shell history and FTP records can reveal internal hostnames, usernames, deployment commands, file locations, and operating practices. Even where a password is absent, the information helps an attacker understand how development and infrastructure environments are organised.

Mac estates are sometimes governed less consistently than Windows fleets because they are concentrated among technical staff or regarded as lower-risk endpoints. That assumption becomes costly when the same users hold access to repositories, cloud platforms, signing services, administrative consoles, and customer data.

User-driven commands require behavioural controls

ClickFix techniques exploit the distinction between code that arrives automatically and a command the user appears to run deliberately. Web filtering or anti-malware controls may see a legitimate browser, Terminal, and system utilities rather than a conventional downloaded application.

The sequence provides stronger evidence than any single event. A browser process followed by Terminal, a pasted shell command, background downloads, repeated process termination, and access to credential stores should be treated as a connected chain.

Roles that do not require Terminal can be restricted, while technical users need detailed process and command telemetry, approved software sources, and monitoring of attempts to access Keychain and browser-profile data. Device management should also preserve sufficient logs to reconstruct activity after the malware removes parts of its own installation.

Following suspected infection, deleting the scripts does not restore trust. Browser sessions should be invalidated, exposed credentials rotated, password-manager accounts reviewed, and cloud, repository, and identity logs examined for access after the endpoint was compromised.

The European concentration reported by Group-IB represents its observed sample rather than a measure of total prevalence. The disclosed activity nevertheless shows how quickly a pasted command can collect several forms of organisational identity and leave persistent remote access behind.

×