Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026

LayerZero-Linked Executor Wallets Suspected of Losing $2.4 Million Across Multiple Chains

July 16, 2026

Crypto brokerage firm Alpaca raises $135 million for tokenized stock infrastructure

July 16, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»Modular macOS Stealer Uses Kill Loops to Force Password Entry
Modular macOS Stealer Uses Kill Loops to Force Password Entry
Security

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026No Comments3 Mins Read

A new macOS stealer has been observed pairing the paste-a-command social engineering of a ClickFix lure with a coercion routine that rendered the machine unusable until the victim surrendered their password.

According to new research from Group-IB published on June 16, the malware, dubbed ClickLock Stealer, has hit at least 100 victims across 33 countries in about two months, with more than half in Europe.

The initial sample was uploaded to VirusTotal on June 9 with zero detections.

Read more on macOS ClickFix: Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings

Modular Attack Chain

Execution started when the victim pasted a command into Terminal from what Group-IB assessed was a ClickFix page. An orchestrator script hid the cursor and played a fake Cloudflare progress animation while downloading four components from two compromised WordPress sites.

Two tools handled credential theft. A Keychain stealer queried macOS for the Chrome Safe Storage key, the AES key that decrypts Chrome-stored cookies and passwords offline. A credential module presented a fake password dialog in AppleScript, validating any entered password against the local directory service so only correct ones reached the operator.

A third module hunted for cryptocurrency assets, iterating on more than 30 wallet extensions, including MetaMask and Phantom and extracting encrypted vault fields from LevelDB storage.

The fourth installed GSocket, an open-source reverse-shell tool reused with roughly 80% of its original code, disguised on macOS as an iCloud process.

Forcing the Victim to Comply

If the victim entered the password on first prompt, the operator received it with a system fingerprint. If they canceled, the orchestrator installed two LaunchAgents so both credential modules would be relaunched on the next login.

See also  Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign – Bitcoin News

A kill loop then terminated Finder, Dock, browsers, Terminal and Activity Monitor in a tight cycle running for up to 83 hours, while the Keychain module applied the same pattern to force approval of the real macOS Keychain dialog.

A parallel loop killed NotificationCenter for around six hours to suppress Gatekeeper warnings. Exfiltration ran entirely over Telegram, with three bots and no dedicated command-and-control (C2). Modules forged timestamps and deleted themselves, leaving only the GSocket backdoor.

The findings sit alongside a broader shift in the macOS stealer ecosystem. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025, and Jamf Threat Labs documented CrashStealer using a signed dropper to clear Gatekeeper earlier this week.

Group-IB urged users to treat any website instructing them to paste a command into Terminal as an attack attempt, and to force-shutdown and boot into Safe Mode rather than enter a password if the desktop suddenly starts killing applications.

Source link

Entry Force kill Loops macOS Modular Password Stealer

Related Posts

LayerZero-Linked Executor Wallets Suspected of Losing $2.4 Million Across Multiple Chains

July 16, 2026

Supra patched oracle on 11 other chains before $9M Hedera exploit

July 16, 2026

Major Losses Reported – Transactions Suspended

July 16, 2026

Gwalior CA Loses Over Rs 21 Crore in Major Crypto Investment Scam

July 16, 2026
Top Posts

JPMorgan Chase Abruptly Slashes 2026 S&P 500 Target Amid Oil Supply Shock and Geopolitical Concerns: Report

March 27, 2026

How Tokenized Treasuries Became Crypto’s New Margin Layer

May 18, 2026

Honda Projects First Loss Since 1957 – $15.7 Billion – Thanks To EV Strategy Fail

March 14, 2026

Type above and press Enter to search. Press Esc to cancel.