Advertisement
Security

When macOS Malware Holds Your Desktop Hostage

A newly identified stealer uses aggressive application termination loops to coerce macOS users into revealing their system passwords.

··2 hours ago·3 min read
Hacker in hoodie working on multiple computer screens
Photo by Julio Lopez on Unsplash
Advertisement

A Persistent Loop of Coercion

The ClickLock infostealer represents a shift in social engineering tactics, moving away from subtle data harvesting to overt, disruptive coercion. Rather than quietly running in the background, this malware forces a user's compliance by rendering the macOS environment nearly unusable. If a user refuses to provide their system password when prompted by a counterfeit system dialog, the malware initiates a destructive cycle.

Finder, the Dock, and primary web browsers are subjected to a continuous termination loop. These applications are forced to quit every 210 milliseconds, effectively paralyzing the workstation. The campaign appears to be evolving, with research from Group-IB identifying at least 100 targets across 33 countries since May. The orchestration script was previously identified with zero detections on VirusTotal as of June 9, highlighting the stealth with which these campaigns can emerge.

The Anatomy of the Attack

The delivery mechanism relies on a ClickFix framework, where victims are prompted to paste a command into the Terminal under the guise of a security or CAPTCHA verification. Once the script gains a foothold, it establishes persistence via LaunchAgents. The malware is designed to be relentless, with secondary loops capable of running for up to 83 hours or, in some iterations, nearly 35 days.

this behavior is unique to forced-interaction malware and has no legitimate use case.

— Group-IB, in their technical analysis of the malware's disruptive pkill and killall patterns.

The threat actors behind this campaign utilize various techniques to evade detection and maintain control, including:

  • 210 milliseconds: The cycle frequency for the initial application kill loop.
  • 83 hours: The maximum duration the primary disruption loop can persist.
  • 3,000,000 seconds: The approximate duration of the secondary persistent kill loop.

Bypassing Modern Protections

Recent iterations of macOS, specifically since macOS 26.4, have attempted to curb the paste-based delivery methods used in these campaigns by issuing warnings when suspicious activity is detected in the Terminal. However, as noted by security researchers, attackers continue to pivot. When one vector is mitigated, they move to others—such as utilizing applescript:// URLs to trigger malicious payloads, as documented one in April by Jamf Threat Labs.

The malware also employs the goyim backdoor, which borrows heavily from the open-source GSocket toolkit. By leveraging this existing infrastructure, the attackers avoid the need for dedicated command-and-control servers, opting instead to route stolen data through relay nodes and Telegram bots. The binary itself masquerades as a legitimate process, running under the name SystemUIServerl, a subtle variation of the genuine macOS service.

Implications for Users and Security

The reality for end-users is that traditional security barriers are being circumvented through direct psychological manipulation. The malware succeeds because it mimics the aesthetics of legitimate system prompts, exploiting the user's trust in their own operating system. If a user encounters a scenario where their machine is actively killing processes and demanding a password, the only secure path is to force a shutdown rather than engaging with the prompts.

For those who have already entered their credentials, the risk is comprehensive. The attackers gain access to the Keychain, browser cookies, cryptocurrency wallet storage, and saved credentials for services like FileZilla. Beyond simple password changes, victims must assume that their entire digital identity stored on that machine is compromised. The persistence of the Safe Storage key means that even offline decryption of sensitive browser data is possible for the attackers, necessitating a full revocation of all active sessions and stored credentials.

#macos#malware#infostealer#cybersecurity#credential theft

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement