ClickLock Mac Malware Can Disable Apps for Three Days

ClickLock Mac Malware Traps Users in a Three-Day Password Loop

ClickLock Mac Malware Traps Users in a Three-Day Password Loop

A Mac login screen prompts the user to enter a password or restart the computer to access password reset options. Source: Apple

ClickLock can shut down Mac apps for more than three days while pressuring users to enter a password and stealing sensitive account data in the background.

Written By
Liz Ticong
Liz Ticong
Jul 17, 2026
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

Rejecting a fake password prompt can leave a Mac desktop unusable for more than three days.

Security researchers at Group-IB have uncovered a new macOS stealer called ClickLock that repeatedly shuts down critical system applications after users dismiss a fake password prompt, making it significantly harder to regain control of an infected computer.

A routine-looking request can quickly turn into a fight for control of the computer.

Closing the prompt triggers a harsher attack

Group-IB believes ClickLock reaches victims through fake verification pages that tell them to copy a command into Terminal. Running it starts a counterfeit Cloudflare check and opens a password request styled to resemble a normal macOS dialog.

Dismissing the request causes the malware to install two LaunchAgents that start when the user logs in. Finder, Activity Monitor, System Settings, and major browsers are then forced to close nearly 300 times a minute.

According to the researchers’ analysis, the cycle can run for about 83 hours. Rebooting offers no easy escape because the malicious components return to the next login.

Reports also said that passwords entered into the box are checked locally before anything is sent. Incorrect attempts produce another convincing error message, but a valid credential goes to the attackers. A separate loop can pressure users to approve access to Chrome’s Keychain data for nearly 35 days.

Stolen data can open far more than the desktop

At least 100 people across 33 countries have been targeted by the ClickLock Stealer operation since May 2026, Group-IB reported. More than half were in Europe, with cryptocurrency holders appearing to be a major focus.

ClickLock searches browsers for saved credentials and active session cookies, then looks through password managers and cryptocurrency wallets for more valuable data. Access to those cookies may let criminals enter accounts that were already signed in, and Chrome’s encryption key can help unlock copied browser data later.

Even if victims regain access to their Macs, the attackers’ objectives extend well beyond disrupting the desktop.

Data theft is only part of the risk. Most of the malware’s data-stealing components remove themselves after sending the information, but a modified GSocket backdoor stays behind under an iCloud-like name to preserve remote access after the visible disruption stops.

Advertisement

Must-read security coverage

Immediate steps after a suspected ClickLock infection

If your Mac starts closing apps around a persistent password box, do not type into it. Force the computer to shut down, disconnect it from the internet, and treat any data stored on the device as potentially exposed.

Group-IB recommends restarting in Safe Mode to regain access. The Hacker News notes that Intel Mac users can hold Shift during startup, while Apple silicon models require users to open startup options first.

Use a different trusted device to cut off access before changing passwords. Sign out of active browser sessions first, then reset email and workplace accounts because those logins can open the door to other services. Banking accounts and cryptocurrency wallets should follow. Anyone who had company accounts open should also alert their security team.

Avoiding the same trap later starts with recognizing the fake verification step.

Although Apple has added warnings before suspicious Terminal commands are pasted, the incident shows that user deception remains one of the most effective attack techniques. For Mac users and enterprise security teams alike, recognizing fake verification prompts may be just as important as keeping systems fully patched.

More News: A Claude for Chrome flaw could let rogue extensions turn connected Google apps into a wider security risk.

Liz Ticong

Liz Ticong is a technology writer specializing in artificial intelligence, cybersecurity, software reviews, and emerging business technologies. With more than a decade of professional writing experience and over five years contributing technology content for TechnologyAdvice, she helps readers understand complex technologies and evaluate the tools that best fit their needs. Liz has extensive experience researching, testing, and analyzing software platforms, AI tools, and technology solutions. Her work includes in-depth software reviews, buyer’s guides, product comparisons, and technology news coverage designed to help businesses make informed purchasing and implementation decisions. She regularly evaluates AI applications, automation tools, cybersecurity solutions, and business software, providing practical insights based on hands-on testing and research. In addition to her work with TechnologyAdvice, Liz has contributed technology content to leading industry publications, including eWeek and TechRepublic. Her background in technical writing and software analysis enables her to translate complex technical concepts into clear, actionable guidance for both business and technology audiences. Liz holds a bachelor's degree in Broadcast Communication from the Polytechnic University of the Philippines and continues to expand her expertise through ongoing education in artificial intelligence and emerging technologies. Through her writing, she helps readers navigate a rapidly evolving technology landscape with practical, research-driven insights and real-world product analysis.