ClickLock Stealer Tricks Mac Users Into Handing Over Their Own Passwords
A newly discovered piece of Mac malware skips the usual hacking tricks and simply persuades victims to run it themselves, then locks the screen until they surrender their passwords.

Key points
- Cybersecurity firm Group-IB discovered ClickLock Stealer in early June 2025, with evidence it has been active since at least late May.
- The malware has hit at least 100 victims across 33 countries, with more than half of those victims located in Europe.
- ClickLock Stealer steals saved passwords, cryptocurrency wallet details, and browser data, then sends everything to the attackers via Telegram.
- The malware works entirely through deception: victims copy and paste a command themselves, so no hacking exploit is needed.
- A six-hour background loop suppresses Mac security warnings by repeatedly shutting down Apple's notification system.
Most malware breaks in. ClickLock Stealer knocks politely and waits for you to open the door.
The malware, which targets computers running macOS (Apple's desktop and laptop operating system), was uncovered by security firm Group-IB in early June 2025. Researchers believe criminals set up fake web pages disguised as Cloudflare verification screens, the familiar "I'm not a robot" style checks many websites use. Visitors to these pages are told to copy a piece of text and paste it into their Mac's Terminal, which is a text-based window that lets users run direct commands on their computer. Pressing enter on that command downloads and launches the malware.
Because the victim runs the command themselves, using their own account, macOS has no reason to object. No exploit, no vulnerability, no hacking shortcut needed.
Once inside, ClickLock Stealer splits into four separate programs: one that steals saved passwords from web browsers, one that drains cryptocurrency wallets, one that targets the macOS Keychain (Apple's built-in password vault), and one that installs a backdoor, meaning a hidden entry point the criminals can use to return later.
How does it steal your password if you never type it in?
It waits you out. The malware throws up a fake macOS password dialog, which looks identical to the real thing, then kills every other visible application on screen. Nothing else works until you type your password. Researchers at Group-IB found that a background process simultaneously shuts down Apple's NotificationCenter, the system that delivers security warnings, roughly continuously for around six hours, so no alert ever reaches the victim.
When the malware also needs access to the Keychain to grab Chrome's stored passwords, it triggers another realistic-looking permission prompt, again killing everything else until the user agrees.
All the stolen data, including browser passwords, cryptocurrency addresses from six different blockchain networks, FTP credentials (login details for transferring files online), and command-line history, gets bundled into a compressed file and sent to a Telegram bot controlled by the criminals.
Security Week first reported on ClickLock Stealer's discovery.
If you own a Mac and recently followed instructions on a website to paste something into Terminal, treat that as a red flag. Check your Mac's login items in System Settings for anything unfamiliar, consider changing your Apple ID password, and contact your bank if you stored any financial logins in Chrome or Safari. You do not need to be technically savvy to fall for this; the whole attack is designed to look routine.



