A new macOS infostealer called ClickLock forces victims to surrender their login credentials by systematically terminating applications every 210 milliseconds until they comply.
The malware spreads via a command pasted into Terminal, then displays a fake system dialog requesting the user's password. When victims dismiss the prompt, ClickLock installs two LaunchAgent persistence mechanisms and exits silently. Upon the next login, the stealer relaunches and begins killing critical system applications including Finder, the Dock, Spotlight, Terminal, and Activity Monitor in rapid succession.
This denial-of-service tactic renders the system unusable. Victims face an unusable desktop and cannot access their files or run other programs. The only way to restore functionality involves providing the login password to the fake dialog, which ClickLock then exfiltrates to attackers.
The LaunchAgent installation ensures ClickLock persists across reboots and user sessions. This automated execution method survives typical restart attempts and standard remediation procedures, requiring manual removal through advanced system tools or recovery mode.
ClickLock targets macOS users who may execute commands from untrusted sources, paste code from malicious websites, or fall victim to social engineering. Attackers likely distribute the initial command through phishing emails, compromised forums, or fake software download sites. The attack succeeds because it leverages macOS users' relative unfamiliarity with command-line threats compared to Windows populations.
Organizations supporting macOS fleets should enforce application whitelisting, disable Terminal execution policies where feasible, and educate users against pasting arbitrary commands. Individual users should never paste commands from unknown sources into Terminal without understanding their function. The fake system dialog closely mimics authentic macOS password prompts, making it particularly deceptive.
No CVE assignment exists yet for ClickLock. Security researchers recommend immediate
