Full Report
ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and
Analysis Summary
# Tool/Technique: ClickLock Stealer
## Overview
ClickLock Stealer is a sophisticated macOS-specific information stealer that utilizes aggressive "hostage" tactics to compel victims into providing their system passwords. It is characterized by its high-frequency process-killing loops and its delivery via "ClickFix" social engineering lures, where users are tricked into pasting malicious commands directly into their Terminal.
## Technical Details
- **Type:** Malware (Infostealer)
- **Platform:** macOS
- **Capabilities:** Credential theft (Keychain, Browsers), Crypto-wallet hijacking, Persistence, Application "Hostage" loops, Reverse Shell.
- **First Seen:** May 2026 (Initial telemetry); VirusTotal upload June 9, 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204.004 - User Execution: Malicious Service Link (ClickFix/Terminal paste)
- **TA0003 - Persistence**
- T1543.001 - Create or Modify System Process: Launch Agent
- **TA0005 - Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Killing Activity Monitor/Terminal)
- T1140 - Deobfuscate/Decode Files or Information
- **TA0006 - Credential Access**
- T1555.001 - Credentials from Password Stores: Keychain
- T1552.003 - Unsecured Credentials: Bash History
- T1606.001 - Forge Web Credentials: Web Cookies
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Telegram)
## Functionality
### Core Capabilities
- **Terminal-Based Delivery:** Exploits the "ClickFix" trend where victims paste a base64-encoded or obfuscated command into Terminal under the guise of fixing a web error.
- **Process Termination Loop:** If the victim refuses to provide a password, it enters a "hostage" mode. It kills critical processes (Finder, Dock, Spotlight, Activity Monitor, major browsers) every **210 milliseconds**.
- **Credential Theft:** Steals Chrome Safe Storage AES keys, browser SQLite databases (Login Data, Cookies), Desktop wallets, and FileZilla credentials.
- **Password Validation:** Uses `dscl /Local/Default -authonly` to verify the victim's password locally before exfiltration, ensuring the stolen data is actionable.
### Advanced Features
- **GSocket Integration:** Incorporates a backdoor named **goyim**, based on the open-source GSocket (Global Socket) toolkit, for encrypted reverse tunneling.
- **Permission Manipulation:** If Full Disk Access is not granted, the script automatically opens the specific System Settings pane and provides instructions to the user to lower their security posture.
- **Notification Suppression:** Kills `NotificationCenter` for six hours to prevent macOS Gatekeeper or system integrity alerts from appearing.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `3ce0504ba65f8d56f83d7fef45faeaeb31e4e5aa9b872b56610b5f2558231caa` (Orchestrator script)
- **File Names:**
- `~/Library/LaunchAgents/com.authirity.plist`
- `~/Library/LaunchAgents/com.chromer.plist`
- `$HOME/.cacheb/` (Hidden directory for payloads)
- **Network Indicators:**
- `gs-netcat` (Behavioral/Service)
- Telegram API (Exfiltration)
- **Behavioral Indicators:**
- Repeated, high-frequency termination of `Finder.app`, `Terminal.app`, and `Activity Monitor.app`.
- Unexpected `osascript` prompts mimicking system dialogs.
## Associated Threat Actors
- **Unconfirmed:** While specific attribution is not finalized, it is linked to the broader **ClickFix** campaign ecosystem, showing code similarities with **SHub Stealer**, **AMOS (Atomic Stealer)**, and **MacSync**.
## Detection Methods
- **Behavioral Detection:** Monitor for scripts calling `dscl` with the `-authonly` flag, or high-frequency loops of `killall` targeting core macOS processes.
- **Persistence Monitoring:** Audit `~/Library/LaunchAgents/` for suspicious plists (e.g., `com.authirity.plist`).
- **Endpoint Security:** Look for the creation of hidden directories in `$HOME` (like `.cacheb`) followed by immediate network activity to Telegram or GSocket relays.
## Mitigation Strategies
- **User Education:** Train users never to paste commands directly into Terminal from unknown websites/pop-ups.
- **Restrict Permissions:** Use MDM solutions to restrict the ability of standard users to grant "Full Disk Access" to applications.
- **Credential Hygiene:** If an infection is suspected, treat all Keychain and browser-stored secrets as compromised. Revoke active browser sessions and change passwords immediately.
## Related Tools/Techniques
- **GSocket (Global Socket):** The open-source tool used for the backdoor component.
- **AMOS (Atomic macOS Stealer):** Shares similar exfiltration and targeting patterns.
- **SHub Stealer:** Uses the same `dscl` password validation technique.