- Group-IB discovers ClickLock, a new macOS-focused data stealer that uses aggressive social engineering by spamming password requests and closing key applications every 210 ms until victims comply
- Once credentials are obtained, it exfiltrates browser data, crypto wallets, password manager entries, FTP settings, and device information via Telegram Bot API.
- Active since May 2026, detected in 33 countries (mainly Europe), distributed through ClickFix campaigns and initially undetected by security vendors until recently.
Group-IB security researchers have discovered a new data stealer primarily targeting macOS users in Europe.
Dubbed ClickLock, it’s more of an annoying social engineering mechanism than a full-fledged malware variant, constantly displaying a login message on the victim’s device, until they finally comply and share the credentials.
Every 210 milliseconds it terminates key applications on the device (Finder, Dock, Terminal, etc.), making it essentially useless. At the same time, it keeps displaying a password dialog on the screen, making sure that the victim cannot do anything other than provide the credentials.
Address the Europeans
The cycle will continue for more than three days in a row, or until the victim withdraws.
After obtaining the keys to the kingdom, the malware gets to work and starts leaking valuable information.
This includes data from key browsers (Chrome, Firefox, Brave and others), saved logins, cookies, autofill data and other browser information, data linked to cryptocurrency wallets and extensions, vault material from encrypted wallets that can be decrypted off-site, data from password managers, cryptocurrency addresses cached in EVM, Bitcoin, Solana, TRON, TON and Stacks, shell histories, FileZilla FTP configuration and recent data server, and basic device information. in a .ZIP file and extracted via a Telegram Bot API.
Group-IB says the campaign has been active since at least May 2026, so it has been active for a few months. A researcher submitted a variant to VirusTotal in early June, but no security vendors detected it until recently, Group-IB says.
So far, it has been detected in 33 countries, more than half of which are in Europe, he also added. The malware is most likely distributed via a ClickFix social engineering campaign and has not been linked to any particular threat actor.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




