A macOS infostealer called ClickLock harasses users into surrendering their passwords — no vulnerability required.
Researchers at Group-IB identified ClickLock, active since at least May 2026, as a social engineering tool that kills Finder, Dock, and Terminal every 210 milliseconds while looping a fake login dialog on screen. The loop runs for over three straight days or until the victim enters their password. Once they do, the malware packages browser data, saved logins, cookies, cryptocurrency wallet contents, password manager entries, FileZilla FTP configs, shell histories, and basic device info into a ZIP archive and ships it out via Telegram's Bot API. Group-IB says a sample sat on VirusTotal undetected by all security vendors for weeks after an early June submission.
What makes ClickLock notable is the absence of any exploit. It does not need elevated privileges, a zero-day, or even particularly clever code — just persistence and the reasonable human impulse to make an annoying popup stop. That approach is harder to patch than a software flaw, and it targets a demographic — Mac users — who often assume they are safer than they are. The campaign has reached 33 countries, with more than half of those in Europe.
Distributed via ClickFix campaigns and not yet tied to a specific threat actor, ClickLock fits a growing pattern of credential theft that trades technical sophistication for psychological pressure — a trade that, judging by its spread, is paying off.