ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits.
At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and the major browsers start dying every 210 milliseconds, for up to 83 hours, leaving one password box on a dead desktop. Type it, and the machine gives up the Keychain, the browser credentials, and the crypto wallets.
Group-IB's telemetry counts at least 100 targets across 33 countries since May, over half of them in Europe. Its analysts assume from the code structure that the malware is still under development. Uploaded to VirusTotal on June 9, the orchestrator script had zero detections there when Group-IB analyzed it.
And the analysts never found the front door. They have the whole payload chain and not one of the lure pages. The IOC list carries three compromised payload hosts and no lure domain: the landing page design, the domains serving it, and whatever drives traffic to them are all unconfirmed.











