Full Report
Newly documented stealer ClickLock comes for the more trusting Mac user with spot of social engineering
Analysis Summary
This summary is based on the threat intelligence report provided regarding the newly identified macOS malware.
# Tool/Technique: ClickLock Stealer
## Overview
ClickLock is an information stealer targeting macOS users. It primarily relies on "ClickFix" social engineering to trick victims into executing malicious commands manually. Once active, it exfiltrates sensitive data and uses a "locker" mechanism to coerce the victim into providing their system password.
## Technical Details
- **Type:** Malware Family (Information Stealer)
- **Platform:** macOS
- **Capabilities:** Credential theft, cryptocurrency wallet draining, remote access, and application locking (denial of service).
- **First Seen:** May 2026 (Active since this date; first analyzed via VirusTotal in June 2026).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Social engineering via fake verification pages)
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell] (User-initiated Terminal commands)
- **[TA0003 - Persistence]**
- [T1547 - Boot or Logon Autostart Execution] (Mechanisms designed to resume attack after reboot)
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores] (Keychain and browser data)
- [T1141 - Input Capture] (Fake password prompts)
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
- [T1102.002 - Web Service: Bidirectional Communication] (Telegram API)
## Functionality
### Core Capabilities
- **Information Theft:** Targets 8 browsers, 31 crypto wallet extensions, 7 password managers, and 8 desktop wallet apps.
- **System Data Harvesting:** Collects macOS Keychain data, shell history, FTP credentials, and blockchain addresses.
- **Social Engineering (ClickFix):** Displays fake Cloudflare verification animations to mask background downloads.
- **Exfiltration:** Uses Telegram infrastructure for command-and-control (C2) and data delivery.
### Advanced Features
- **Coercive Locking:** If a user refuses to enter their password, the malware repeatedly kills visible applications to prevent normal use of the Mac.
- **Remote Access:** Deploys a modified version of the open-source GSocket tool to establish a persistent remote connection.
## Indicators of Compromise
- **File Hashes:** [Specific hashes not provided in text; consult Group-IB report]
- **File Names:** Initial payload typically delivered as a shell script.
- **Network Indicators:**
- Compromised WordPress sites (hosting payloads)
- `api[.]telegram[.]org` (C2 communication)
- **Behavioral Indicators:**
- Unexpected/repeated `kill` commands targeting legitimate applications.
- Unexpected password prompts appearing outside of system preferences.
- Unauthorized access to `~/Library/Keychains/`.
## Associated Threat Actors
- Currently unattributed (the report describes it as a "newly documented" operation).
## Detection Methods
- **Behavioral Detection:** Monitoring for shell scripts that attempt to access browser profiles and the macOS Keychain, or processes that repeatedly terminate other running applications.
- **Network Monitoring:** Flagging unusual Telegram traffic patterns from macOS endpoints, especially when originating from non-messaging applications.
## Mitigation Strategies
- **User Education:** Advise users never to copy and paste code from a website directly into the Terminal.
- **Hardening:** Implement Endpoint Detection and Response (EDR) solutions that can flag unauthorized attempts to access sensitive directories (e.g., Application Support/Google/Chrome).
- **Architecture:** Restrict Terminal usage via MDM for non-technical users where possible.
## Related Tools/Techniques
- **ClickFix:** A common social engineering technique used to deliver various malware (e.g., ClearFake).
- **GSocket:** An open-source tool repurposed by the attackers for remote access.