Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

ClickLock Stealer: Paste Once, Lose Everything

0
Medium
Published: 07/16/2026 (07/16/2026, 11:34:01 UTC)
Source: AlienVault OTX General

Description

ClickLock Stealer is a modular macOS malware targeting users mainly in Europe, North America, and the Middle East. It is distributed via social engineering pages that trick victims into pasting malicious commands into Terminal. The malware deploys components to steal credentials, macOS Keychain data, crypto wallets, and establishes a persistent backdoor. It aggressively locks the system by terminating visible applications except password dialogs to coerce user compliance. Since May 2026, it has compromised at least 100 victims across 33 countries using compromised WordPress sites and Telegram for command and control.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:48:56 UTC

Technical Analysis

ClickLock Stealer is a modular information stealer targeting macOS systems. It is distributed through social engineering via ClickFix pages that convince users to paste malicious commands into Terminal. Upon execution, it installs four main components: a credential stealer, a Keychain stealer focusing on Chrome encryption keys, a crypto wallet harvester covering 31 wallet extensions and desktop wallets, and a persistent backdoor using GSocket. The malware employs an aggressive locker technique that kills all visible applications except password dialogs to force user interaction. It targets data from eight browsers, seven password managers, macOS Keychain, shell history, and cryptocurrency wallets. The campaign has affected at least 100 victims in 33 countries since May 2026, leveraging compromised WordPress domains and Telegram for command and control and data exfiltration.

Potential Impact

The malware compromises sensitive user data including browser credentials, password manager data, macOS Keychain secrets, shell history, and cryptocurrency wallets. The persistent backdoor allows ongoing unauthorized access. The aggressive locker technique disrupts normal system use, potentially coercing users into further compromising actions. The campaign has resulted in at least 100 confirmed infections across multiple regions, indicating active targeting and data theft.

Mitigation Recommendations

No official patch or remediation is available as this is malware distributed via social engineering. Mitigation focuses on user education to avoid pasting untrusted commands into Terminal and monitoring for suspicious activity. Organizations should block known malicious domains and URLs associated with the malware's infrastructure. Endpoint detection and response solutions should be updated to detect the malware components and associated indicators of compromise. Since this is not a vulnerability in software but malware infection, prevention relies on user awareness and network defenses.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.group-ib.com/blog/clicklock-stealer-macos-malware/"]
Adversary
ClickLock Dev
Pulse Id
6a58c1a90a160ce1e25e78e7
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainupdate-check.com
domaincottonbox.co.il
domainpanalobet.ph
domainstore.grafsynergy.com

Hash

ValueDescriptionCopy
hash0a1fb016bd10bac5455175c79aa4511e5ff1a330
hash2fc970e25570532f9cbe33b7ebfe1f0383a7341a
hash8dda05168ea8610a2449419a47517bc32823d6ec
hashb67aa4f598c0ea625a7409ea7884e10a7bc9c3ff
hashd9617710d4ed8e9b87f6fee0b7014c4101effba0

Url

ValueDescriptionCopy
urlhttp://panalobet.ph/wp-content/deng.php
urlhttps://cottonbox.co.il/wp-content/hbd
urlhttps://panalobet.ph/wp-content/deng.php
urlhttps://panalobet.ph/wp-content/themes/twentytwenty/assets/fonts/chromer.txt
urlhttps://panalobet.ph/wp-content/themes/twentytwenty/assets/images/finderv2.jpg
urlhttps://panalobet.ph/wp-content/upgrade/zsh.txt
urlhttps://panalobet.ph/wp-content/upgrade/zsh.txt.
urlhttps://store.grafsynergy.com/media/apple.png
urlhttps://store.grafsynergy.com/media/goyim

Threat ID: 6a59782068715ace4305c1b8

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:48:56 UTC

Last updated: 07/17/2026, 03:35:54 UTC

Views: 10

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses