ClickLock Stealer: Paste Once, Lose Everything
ClickLock Stealer is a modular macOS malware targeting users mainly in Europe, North America, and the Middle East. It is distributed via social engineering pages that trick victims into pasting malicious commands into Terminal. The malware deploys components to steal credentials, macOS Keychain data, crypto wallets, and establishes a persistent backdoor. It aggressively locks the system by terminating visible applications except password dialogs to coerce user compliance. Since May 2026, it has compromised at least 100 victims across 33 countries using compromised WordPress sites and Telegram for command and control.
AI Analysis
Technical Summary
ClickLock Stealer is a modular information stealer targeting macOS systems. It is distributed through social engineering via ClickFix pages that convince users to paste malicious commands into Terminal. Upon execution, it installs four main components: a credential stealer, a Keychain stealer focusing on Chrome encryption keys, a crypto wallet harvester covering 31 wallet extensions and desktop wallets, and a persistent backdoor using GSocket. The malware employs an aggressive locker technique that kills all visible applications except password dialogs to force user interaction. It targets data from eight browsers, seven password managers, macOS Keychain, shell history, and cryptocurrency wallets. The campaign has affected at least 100 victims in 33 countries since May 2026, leveraging compromised WordPress domains and Telegram for command and control and data exfiltration.
Potential Impact
The malware compromises sensitive user data including browser credentials, password manager data, macOS Keychain secrets, shell history, and cryptocurrency wallets. The persistent backdoor allows ongoing unauthorized access. The aggressive locker technique disrupts normal system use, potentially coercing users into further compromising actions. The campaign has resulted in at least 100 confirmed infections across multiple regions, indicating active targeting and data theft.
Mitigation Recommendations
No official patch or remediation is available as this is malware distributed via social engineering. Mitigation focuses on user education to avoid pasting untrusted commands into Terminal and monitoring for suspicious activity. Organizations should block known malicious domains and URLs associated with the malware's infrastructure. Endpoint detection and response solutions should be updated to detect the malware components and associated indicators of compromise. Since this is not a vulnerability in software but malware infection, prevention relies on user awareness and network defenses.
Indicators of Compromise
- domain: update-check.com
- hash: 0a1fb016bd10bac5455175c79aa4511e5ff1a330
- hash: 2fc970e25570532f9cbe33b7ebfe1f0383a7341a
- hash: 8dda05168ea8610a2449419a47517bc32823d6ec
- hash: b67aa4f598c0ea625a7409ea7884e10a7bc9c3ff
- hash: d9617710d4ed8e9b87f6fee0b7014c4101effba0
- url: http://panalobet.ph/wp-content/deng.php
- url: https://cottonbox.co.il/wp-content/hbd
- url: https://panalobet.ph/wp-content/deng.php
- url: https://panalobet.ph/wp-content/themes/twentytwenty/assets/fonts/chromer.txt
- url: https://panalobet.ph/wp-content/themes/twentytwenty/assets/images/finderv2.jpg
- url: https://panalobet.ph/wp-content/upgrade/zsh.txt
- url: https://panalobet.ph/wp-content/upgrade/zsh.txt.
- url: https://store.grafsynergy.com/media/apple.png
- url: https://store.grafsynergy.com/media/goyim
- domain: cottonbox.co.il
- domain: panalobet.ph
- domain: store.grafsynergy.com
ClickLock Stealer: Paste Once, Lose Everything
Description
ClickLock Stealer is a modular macOS malware targeting users mainly in Europe, North America, and the Middle East. It is distributed via social engineering pages that trick victims into pasting malicious commands into Terminal. The malware deploys components to steal credentials, macOS Keychain data, crypto wallets, and establishes a persistent backdoor. It aggressively locks the system by terminating visible applications except password dialogs to coerce user compliance. Since May 2026, it has compromised at least 100 victims across 33 countries using compromised WordPress sites and Telegram for command and control.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ClickLock Stealer is a modular information stealer targeting macOS systems. It is distributed through social engineering via ClickFix pages that convince users to paste malicious commands into Terminal. Upon execution, it installs four main components: a credential stealer, a Keychain stealer focusing on Chrome encryption keys, a crypto wallet harvester covering 31 wallet extensions and desktop wallets, and a persistent backdoor using GSocket. The malware employs an aggressive locker technique that kills all visible applications except password dialogs to force user interaction. It targets data from eight browsers, seven password managers, macOS Keychain, shell history, and cryptocurrency wallets. The campaign has affected at least 100 victims in 33 countries since May 2026, leveraging compromised WordPress domains and Telegram for command and control and data exfiltration.
Potential Impact
The malware compromises sensitive user data including browser credentials, password manager data, macOS Keychain secrets, shell history, and cryptocurrency wallets. The persistent backdoor allows ongoing unauthorized access. The aggressive locker technique disrupts normal system use, potentially coercing users into further compromising actions. The campaign has resulted in at least 100 confirmed infections across multiple regions, indicating active targeting and data theft.
Mitigation Recommendations
No official patch or remediation is available as this is malware distributed via social engineering. Mitigation focuses on user education to avoid pasting untrusted commands into Terminal and monitoring for suspicious activity. Organizations should block known malicious domains and URLs associated with the malware's infrastructure. Endpoint detection and response solutions should be updated to detect the malware components and associated indicators of compromise. Since this is not a vulnerability in software but malware infection, prevention relies on user awareness and network defenses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/clicklock-stealer-macos-malware/"]
- Adversary
- ClickLock Dev
- Pulse Id
- 6a58c1a90a160ce1e25e78e7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainupdate-check.com | — | |
domaincottonbox.co.il | — | |
domainpanalobet.ph | — | |
domainstore.grafsynergy.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0a1fb016bd10bac5455175c79aa4511e5ff1a330 | — | |
hash2fc970e25570532f9cbe33b7ebfe1f0383a7341a | — | |
hash8dda05168ea8610a2449419a47517bc32823d6ec | — | |
hashb67aa4f598c0ea625a7409ea7884e10a7bc9c3ff | — | |
hashd9617710d4ed8e9b87f6fee0b7014c4101effba0 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://panalobet.ph/wp-content/deng.php | — | |
urlhttps://cottonbox.co.il/wp-content/hbd | — | |
urlhttps://panalobet.ph/wp-content/deng.php | — | |
urlhttps://panalobet.ph/wp-content/themes/twentytwenty/assets/fonts/chromer.txt | — | |
urlhttps://panalobet.ph/wp-content/themes/twentytwenty/assets/images/finderv2.jpg | — | |
urlhttps://panalobet.ph/wp-content/upgrade/zsh.txt | — | |
urlhttps://panalobet.ph/wp-content/upgrade/zsh.txt. | — | |
urlhttps://store.grafsynergy.com/media/apple.png | — | |
urlhttps://store.grafsynergy.com/media/goyim | — |
Threat ID: 6a59782068715ace4305c1b8
Added to database: 07/17/2026, 00:32:32 UTC
Last enriched: 07/17/2026, 00:48:56 UTC
Last updated: 07/17/2026, 03:35:54 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.