When a familiar Apple‑style password prompt turns into a silent thief, macOS users could be blindsided by a new malware threat. In June 2026, security researchers at Group‑IB uncovered ClickLock, a credential‑stealing program that has already infected more than 100 computers across 33 countries, with over half of the victims located in Europe.

ClickLock arrives through a social‑engineering campaign that closely imitates the well‑known ClickFix technique. Victims are lured to a counterfeit verification page—often via SEO poisoning, compromised websites or social‑media posts—where they are instructed to copy a command into the macOS Terminal. Running the command triggers the malware, disables normal system functions, and leaves the user with a single interaction: an Apple‑style login prompt that looks legitimate.

Once executed, the program immediately suppresses system notifications, hides the Terminal cursor, and repeatedly terminates visible applications at sub‑second intervals. It then downloads four distinct components: one that harvests credentials, another that siphons cryptocurrency, a third that collects Keychain data, and a fourth that installs a persistent back‑door. After completing its theft tasks, the credential‑stealing modules delete themselves to reduce forensic evidence, while the back‑door remains active through LaunchAgents, allowing long‑term access.

The password prompt is a key part of the attack. It displays the victim’s actual username and an Apple‑style interface. When the user clicks the login button, ClickLock validates the credentials and immediately forwards them to the attackers via a Telegram channel. Even if the prompt is dismissed, the malware still establishes persistence through LaunchAgents.

Group‑IB researchers noted that the malware chain was fully analyzed, but the initial lure pages that deliver the attack have not yet been identified. The distribution infrastructure is still evolving, and the researchers believe ClickLock is still under active development. The program evaded detection by security engines on VirusTotal when it was first uploaded in June, demonstrating a new level of sophistication in macOS threats.

The attack’s similarity to ClickFix is significant because ClickFix has historically targeted Windows users. By shifting to macOS, ClickLock expands the threat surface for Apple users, who represent the second‑most widely used desktop operating system worldwide. Security experts warn that the realistic login prompt and rapid termination of applications can create a sense of urgency that may compel users to comply. The malware’s persistence mechanism and its ability to delete most of its components after execution make forensic investigation difficult.

No official patch or mitigation has been released by Apple or the malware’s developers. The malware remains active, and Group‑IB continues to monitor its evolution. Users are advised to avoid copying commands from untrusted sources and to keep their macOS systems updated.

The discovery of ClickLock highlights the growing trend of credential‑stealing malware that relies on social engineering and sophisticated evasion techniques. As macOS users increasingly engage in cryptocurrency transactions, the potential impact of such attacks could be significant.

The current situation is that ClickLock is still under active development, with no publicly known lure pages and no confirmed distribution channels beyond the methods described. The malware’s ability to bypass antivirus solutions and its persistence capabilities remain key concerns for the security community.