Close Menu
    What's Hot

    Elbridge Colby Exposes Trump’s America First Contradiction

    Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act

    In Canada, Wildfires Are Burning Through the Night. Firefighters Are Running Out of Time.

    Facebook X (Twitter) Instagram
    Trending
    • Elbridge Colby Exposes Trump’s America First Contradiction
    • Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act
    • In Canada, Wildfires Are Burning Through the Night. Firefighters Are Running Out of Time.
    • Ilhan Omar renews push for US to join ICC amid Trump pressure | Courts News
    • Salad Chains Are Seeing Foot Traffic Drop Over Cyclosporiasis Fears
    • Russian strikes threaten Ukraine’s Black Sea grain trade
    • The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials
    • Gay-Themed Mediterranean Cruise Turned Away From Turkey and Then Egypt
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    adminBy adminJuly 16, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    ClickLock Stealer, a new macOS infostealer, answers a victim’s refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits.

    At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and the major browsers start dying every 210 milliseconds, for up to 83 hours, leaving one password box on a dead desktop. Type it, and the machine gives up the Keychain, the browser credentials, and the crypto wallets.

    Group-IB’s telemetry counts at least 100 targets across 33 countries since May, over half of them in Europe. Its analysts assume from the code structure that the malware is still under development. Uploaded to VirusTotal on June 9, the orchestrator script had zero detections there when Group-IB analyzed it.

    And the analysts never found the front door. They have the whole payload chain and not one of the lure pages. The IOC list carries three compromised payload hosts and no lure domain: the landing page design, the domains serving it, and whatever drives traffic to them are all unconfirmed.

    A completed run leaves the operator holding the validated macOS login password, Chrome’s Safe Storage AES key, and a ZIP with browser credentials and cookies, crypto wallet extension storage, desktop wallet files, password manager vaults, the Keychain, shell history, and FileZilla’s saved server credentials.

    Cybersecurity

    The Safe Storage key is the one that lasts. It encrypts Chrome’s saved passwords and cookies on disk, so Login Data and Cookies are decrypted offline, on the attacker’s machine, whenever they get to it. Group-IB’s advice to anyone who ran this: revoke active browser sessions, treat every saved password, cookie, and wallet key as gone, and change them.

    Comply now, or comply at next login

    The refusing user is not an edge case. They are what the design is for. Cancel the first dialog, and the script drops com.authirity.plist and com.chromer.plist into ~/Library/LaunchAgents/, then leaves.

    The first fires the 210-millisecond kill loop until a password lands. The second launches its own kill loop at 0.2-second intervals for up to 3,000,000 seconds, roughly 34.7 days, while a background process queries the Keychain for Chrome’s Safe Storage key every half second.

    That query raises a real macOS prompt, and the loop holds the desktop hostage until the victim approves it. Activity Monitor and Terminal are on both kill lists. A third loop kills NotificationCenter for six hours, so no Gatekeeper warning renders. If Terminal lacks Full Disk Access, the orchestrator opens System Settings to the right pane and walks the victim through granting it.

    The front end is ClickFix. Group-IB assesses that with high confidence and has never seen it. The script takes a RAY_ID as its first argument and opens with a fake Cloudflare CAPTCHA banner over a progress bar cycling twelve status lines in ten seconds. Neither does anything. They exist to reassure someone who has just pasted a command into a terminal.

    Underneath, script.sh disables keyboard interrupts, hides the cursor, and pulls four payloads from two compromised sites. Two pipe straight into bash. Two land in a hidden $HOME/.cacheb/. The soft ask is an osascript dialog wearing a downloaded Apple icon and the victim’s real username, and whatever gets typed is checked against dscl /Local/Default -authonly first, so only a working password is worth sending.

    Almost none of that is new. Microsoft documented the same dscl validation in SHub Stealer in May, alongside AMOS and MacSync in the same wave of macOS ClickFix campaigns. Telegram exfil and LaunchAgent persistence are boilerplate.

    The backdoor, goyim, is roughly 80 percent a copy of the public deploy script for GSocket, an open-source tunneling toolkit from The Hacker’s Choice. Its authors pitch the gs-netcat component as an encrypted reverse backdoor that needs no C2 server of its own. It rides a relay instead.

    Group-IB traced this copy to an operator relay at gsnc[.]eu:67, with the binary pulled from gsocket.io itself. The stealer payloads sit on three compromised domains with clean reputations, one of them a hacked WordPress site, and the haul leaves through three Telegram bots. Group-IB observed no dedicated command-and-control infrastructure.

    On macOS, the binary lands as iCloud in ~/Library/Application Support/iCloudsync and the process runs as SystemUIServerl, one letter off the real one.

    Apple already tried to shut this door

    macOS 26.4 shipped in late March. It warns when Terminal sees suspicious paste activity and blocks outright anything it recognizes as known malware, a mitigation Microsoft points to as a direct answer to ClickFix delivery.

    Apple’s own documentation shows how much room it left: the warning only fires if you do not regularly use Terminal, and it ships with a Paste Anyway button. The hard block needs macOS to already know the malware.

    Two campaigns went through that room within weeks, in opposite directions. Jamf Threat Labs documented one in April that avoids the paste entirely, using an applescript:// URL to open Script Editor with the payload preloaded, so the check never fires. Jamf’s Thijs Xhaflaire wrote that “when one door closes, attackers find another.” ClickLock is the other. It kept the paste and engineered around the person instead.

    Cybersecurity

    The coercion loop is the one part with no cover story. Group-IB does not hedge on the sub-second pkill and killall bursts against Finder, Dock, SystemUIServer, and NotificationCenter: “this behavior is unique to forced-interaction malware and has no legitimate use case.”

    The rest of the signal set:

    • security find-generic-password called from a shell script rather than a browser
    • osascript spawning password dialogs with icons pulled from /tmp/
    • Bulk reads of browser profile directories followed by traffic to api.telegram.org
    • curl piped into bash where the URL ends in .jpg, .txt or .css
    • LaunchAgent creation in ~/Library/LaunchAgents/ by a shell process, paired with launchctl load

    If a Mac starts killing its own apps and leaves a password box on screen, do not type the password. No verification page needs your Terminal. Cloudflare’s check runs in the browser, which is the entire point of it.

    Group-IB says to hold the power button until the machine shuts down, then start up in Safe Mode, and its Shift-at-startup step is the Intel procedure only. On Apple silicon, hold the power button until “Loading startup options” appears, select the volume, then hold Shift and click Continue in Safe Mode.

    Cleanup is uneven. The stealer modules unload their own LaunchAgents, forge their timestamps off ~/Movies to break timeline analysis, and delete themselves. goyim does not. Sit through the loop, type the password, watch the desktop come back, and what is left is a machine that looks fine with a reverse shell on it, running as SystemUIServerl out of ~/Library/Application Support/iCloudsync.

    ClickLock’s operators launched in May, a month into the warning’s life, and built for the paste. Whether one of Group-IB’s targets ever saw it is the thing the report does not say.

    The Hacker News has asked Group-IB for the macOS version breakdown behind those targets and will update this story with any response.

    210ms apps ClickLock kills macOS Password Stealer Type victims
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWhat is a micro cap IPO, and why are they disappearing from the stock market?
    Next Article Gay-Themed Mediterranean Cruise Turned Away From Turkey and Then Egypt
    admin
    • Website

    Related Posts

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026

    Orphanage Fire Kills Eleven in Algeria

    July 16, 2026

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Elbridge Colby Exposes Trump’s America First Contradiction

    Republican Rifts Deepen Over $95 Billion Budget Plan for Iran War and SAVE Act

    In Canada, Wildfires Are Burning Through the Night. Firefighters Are Running Out of Time.

    Ilhan Omar renews push for US to join ICC amid Trump pressure | Courts News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by