MacOS users, beware: newly discovered stealthy stealer requires no exploits
The stealer focuses on Europe, where more than 50% of identified victims are located

Image by Cybernews.
- ClickLock Stealer needs no exploits, only one pasted Terminal command disguised as verification
- The malware steals passwords, browser data, crypto wallets, and persists quietly via backdoor
- Victims are coerced through fake dialogs and app-killing locker behavior until they comply
- More than half of known victims are in Europe, though targets span 33 countries
Malware targeting macOS users is rare and has to be pretty advanced, given the system's strong protections and the number of users being too low for large profits. Discovering a previously undocumented sample with zero detections is difficult – but, as a new report shows, still possible.
Researchers from Group-IB Threat Intelligence have detected a new malicious shell script that was uploaded to VirusTotal on June 9th and had zero detections at the time of discovery.
It’s a new modular macOS stealer likely distributed via ClickFix pages and relying on compromised WordPress domains and Telegram infrastructure, with a strong focus on Europe, where more than 50% of identified victims are located.
Crucially, the malware “doesn’t even need any elevated privileges or rely on exploits for the successful execution,” says Group-IB, calling it the ClickLock Stealer.
Interestingly, the victim gets forced to follow the attack flow and enter a password, because otherwise malware locks the system usage by killing all visible processes,Group-IB
“It requires no exploits or elevated privileges – just a victim pasting one command into Terminal, disguised as a Cloudflare verification check – and includes a ‘locker’ mechanism that kills every visible app until the victim complies,” reads the explanatory blog post.
As a reminder, Terminal is a built-in application on macOS that allows you to interact with your Mac using lines of code.
Victims are forced to comply
What actually happens? Upon execution of the ClickFix command, the malicious script shows a terminal-based loading animation mimicking Cloudflare’s progress bar with browser verification flow.
The malware uses the window to orchestrate further modules that search the system for various data, including browser credentials, password manager data, crypto wallet extensions, desktop wallet files, and more.
Check if your data has been leaked
“Interestingly, the victim gets forced to follow the attack flow and enter a password, because otherwise malware locks the system usage by killing all visible processes,” says Group-IB.
In other words, the ClickLock Stealer:
- Tricks macOS users into initiating the infection via ClickFix
- Forces the victim to enter the system password through fake dialogs
- Starts acting as a “locker” when or if the victim tries to break the compromise flow and forces the victim to comply
- Steals the victim’s passwords, browser data, and crypto wallets, sending everything to the attacker’s controlled bot via Telegram API
After all modules (which are payload components of stealer operations) complete their objectives, they forge timestamps, remove their persistence mechanisms, and delete themselves, except for the backdoor called goyim, which remains permanently installed.
The victim’s system returns to normal operation, likely without raising any awareness of compromise.
But the attacker now holds the macOS login password, Chrome’s encryption key, a full archive of stolen data, and a persistent backdoor, “which is more than enough to decrypt all browser-stored credentials offline and maintain access indefinitely,” the researchers point out.
Never paste commands into Terminal from websites
The malware targets eight browsers, 31 crypto wallet extensions, 7 password manager extensions, 8 desktop wallets, and blockchain addresses across 6 chains, plus the macOS Keychain and shell history.
Researchers have so far identified at least 100 victims across 33 countries. The stealer focuses on Europe, where more than 50% of identified victims are located.
The number of victims doesn’t seem huge. But this particular macOS stealer operation has only been active for around 2 months, since May. Besides, Group-IB says it assumes that the malware is still under development.
The focus on cryptocurrency wallet extensions, desktop wallet applications, and blockchain address extraction should in theory indicate that crypto holders are the primary targets.
But the additional harvesting of password manager vaults, browser-saved credentials, and payment data suggests that any macOS user with valuable online accounts represents a worthwhile target for this campaign.
Cloudflare, Google, and other services perform their verification entirely within the browser. Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system.
“This campaign demonstrates that macOS users may face real, sophisticated threats that require neither exploits nor any elevated access to succeed,” says Group-IB.
“The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal.”
That’s why the lesson for macOS users is pretty straightforward: never paste commands into Terminal from websites since, frankly, no legitimate website will ever ask you to paste a command into Terminal.
Cloudflare, Google, and other services perform their verification entirely within the browser. Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system.