ClickLock: the Mac malware that locks up your screen until you type your password
A new macOS stealer, tracked by Group-IB, freezes everything on the screen except a password box. It has already hit around 100 machines in 33 countries.

Key points
- Group-IB researchers say the ClickLock stealer has infected at least 100 Mac computers across 33 countries since May 2025.
- The malware shuts down apps every fifth of a second and shows only a fake password box until the user gives in.
- The script sat on VirusTotal, a public malware-scanning service, from June 9 with zero detections at the time of the report.
- Stolen data, including browser logins, crypto wallets, and password-manager files, is smuggled out through the Telegram messaging service.
- A modified copy of the open-source tool GSocket stays behind as a hidden backdoor for remote access.
A new piece of Mac malware is playing a nasty trick on its victims. It closes every window on the screen, hides the mouse cursor, and refuses to let go until the user types in their login password.
Researchers at the Singapore-based firm Group-IB call it ClickLock. The name fits. The software, first reported by BleepingComputer, locks the machine into a loop the user cannot easily escape.
How does the attack actually start?
It begins with a fake safety check on a website. The lure is a technique the security industry calls ClickFix, where a page pretends to be a Cloudflare "human verification" step and tells the visitor to paste a command into the Mac's Terminal app.
Terminal is the text-based control panel built into macOS. Pasting a strange command there is roughly the same as handing a stranger the keys to your house.
Once the command runs, an animated progress bar appears. Behind it, the script disables keyboard interrupts, hides the cursor, silences macOS notifications for about six hours, and quietly downloads the rest of the malware.
What happens if you refuse to type your password?
That is where ClickLock gets creative. Group-IB says the script first pops up a password box that uses the victim's real username and a genuine-looking Apple icon. If the person types their password, it is checked and then sent straight to the attacker over Telegram.
If the person cancels, the malware plants itself as a LaunchAgent, a small file macOS uses to start programs automatically, and waits for the next login.
On the next boot, a kill loop kicks in. Every 210 milliseconds the script closes Finder, Dock, Terminal, Activity Monitor, Console, System Settings, Spotlight and the web browsers. Only the password prompt remains. Group-IB reports the loop is set to run for roughly 83 hours or until the victim gives up and types the password.
A second loop asks for permission to read Chrome's Safe Storage key, the piece of data that unlocks saved Chrome passwords, cookies and autofill. That one is configured to run for nearly 35 days.
What does the malware steal?
Quite a lot. The harvesting module pulls saved logins, cookies, autofill, bookmarks and session data from eight browsers, including Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc and Chromium.
It also grabs cryptocurrency wallet extensions, desktop wallet files, encrypted wallet vaults for later offline cracking, password-manager extension data, shell command history, and FileZilla FTP settings. Everything is packed into a ZIP file and uploaded via Telegram's Bot API. Files bigger than 40 MB are split up.
The final piece is a tweaked version of GSocket, an open-source networking tool. It stays on the system as a backdoor, giving the attacker remote shell access through a relay server. The other parts of ClickLock delete themselves after running.
Is this linked to a known group?
Not publicly, at least not yet. Group-IB has not tied ClickLock to a named cluster, and the ClickFix lure is now used by a wide mix of criminal crews and state-linked operators, so single-source attribution here would be premature. Treat it, for now, as a capable but unattributed campaign with clear financial motive.
What should Mac users do?
Two practical rules. Never paste a Terminal command from a website you do not fully trust, no matter how polished the page looks. And if your Mac suddenly looks frozen with only a password box on screen, do not type. Group-IB advises holding the power button to force a shutdown, then booting into Safe Mode to clean up.



