Close Menu
  • Latest News
    • Market
    • Altcoins
    • Legal and Regulatory
  • Tech
    • Blockchain
    • Security and Privacy
  • Web 3
    • Web3 News
    • NFTs
    • Gaming
  • Learn
    • Education
    • Investments
    • Staking
    • Wallets and Exchanges
  • ICOs
  • Mining
  • Crypto Tools
    • Exchange Tool
  • Shop
What's Hot

Dogecoin Reclaims $0.073 As Meme Traders Look For A Cleaner Rebound

July 16, 2026

U.S., UK move to align rules for tokenized finance across world’s largest financial markets

July 16, 2026

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026
Facebook X (Twitter) Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook X (Twitter) Instagram
CryptoPulseDaily.com
  • Latest News
    • Market
    • Altcoins
    • Legal and Regulatory
  • Tech
    • Blockchain
    • Security and Privacy
  • Web 3
    • Web3 News
    • NFTs
    • Gaming
  • Learn
    • Education
    • Investments
    • Staking
    • Wallets and Exchanges
  • ICOs
  • Mining
  • Crypto Tools
    • Exchange Tool
  • Shop
CryptoPulseDaily.com
Home»Security and Privacy»Modular macOS Stealer Uses Kill Loops to Force Password Entry
Modular macOS Stealer Uses Kill Loops to Force Password Entry
Security and Privacy

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026No Comments3 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email

A new macOS stealer has been observed pairing the paste-a-command social engineering of a ClickFix lure with a coercion routine that rendered the machine unusable until the victim surrendered their password.

According to new research from Group-IB published on June 16, the malware, dubbed ClickLock Stealer, has hit at least 100 victims across 33 countries in about two months, with more than half in Europe.

The initial sample was uploaded to VirusTotal on June 9 with zero detections.

Read more on macOS ClickFix: Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings

Modular Attack Chain

Execution started when the victim pasted a command into Terminal from what Group-IB assessed was a ClickFix page. An orchestrator script hid the cursor and played a fake Cloudflare progress animation while downloading four components from two compromised WordPress sites.

Two tools handled credential theft. A Keychain stealer queried macOS for the Chrome Safe Storage key, the AES key that decrypts Chrome-stored cookies and passwords offline. A credential module presented a fake password dialog in AppleScript, validating any entered password against the local directory service so only correct ones reached the operator.

A third module hunted for cryptocurrency assets, iterating on more than 30 wallet extensions, including MetaMask and Phantom and extracting encrypted vault fields from LevelDB storage.

The fourth installed GSocket, an open-source reverse-shell tool reused with roughly 80% of its original code, disguised on macOS as an iCloud process.

Forcing the Victim to Comply

If the victim entered the password on first prompt, the operator received it with a system fingerprint. If they canceled, the orchestrator installed two LaunchAgents so both credential modules would be relaunched on the next login.

See also  Quarter of Crypto Tokens in 2022 Linked to Pump-and-Dump

A kill loop then terminated Finder, Dock, browsers, Terminal and Activity Monitor in a tight cycle running for up to 83 hours, while the Keychain module applied the same pattern to force approval of the real macOS Keychain dialog.

A parallel loop killed NotificationCenter for around six hours to suppress Gatekeeper warnings. Exfiltration ran entirely over Telegram, with three bots and no dedicated command-and-control (C2). Modules forged timestamps and deleted themselves, leaving only the GSocket backdoor.

The findings sit alongside a broader shift in the macOS stealer ecosystem. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025, and Jamf Threat Labs documented CrashStealer using a signed dropper to clear Gatekeeper earlier this week.

Group-IB urged users to treat any website instructing them to paste a command into Terminal as an attack attempt, and to force-shutdown and boot into Safe Mode rather than enter a password if the desktop suddenly starts killing applications.

Source link

Entry Force Kill Loops macOS Modular Password Stealer
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Robinhood Chain tokens are reportedly vanishing from wallets causing buyers to lose funds

July 13, 2026

Convicted scammer’s “seized” crypto moves to unknown wallets while in prison as DOJ failed to secure funds

July 13, 2026

One crypto wallet tied to a 20-year-old fraudster processed over $122M before Interpol closed in

July 12, 2026

Relay Protocol Warns of Robinhood Chain Honeypot Coins

July 9, 2026
Add A Comment
Leave A Reply Cancel Reply

Top Posts

3 Bitcoin Mining Pools Wield 69% of Total Hashrate Discovering 301 Blocks in 72 Hours

June 4, 2024

Bitcoin miner MARA takes $1.3B hit after brutal quarter – What’s next?

May 13, 2026

Gemini Sues Bankrupt Lender Genesis, Its Former Partner, Over $1.6B Worth of GBTC

October 29, 2023

Subscribe to Updates

Get the latest creative news From Crypto Daily Pulse directly in your Inbox!

Our mission is to develop a community of people who try to make financially sound decisions. The website strives to educate individuals in making wise choices about Crypto, ICOs, Web3, Blockchain and more.

We're social. Connect with us:

Facebook X (Twitter) Instagram Pinterest YouTube
Top Insights

Dogecoin Reclaims $0.073 As Meme Traders Look For A Cleaner Rebound

July 16, 2026

U.S., UK move to align rules for tokenized finance across world’s largest financial markets

July 16, 2026

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026
Get Informed

Subscribe to Updates

Get the latest creative news From Crypto Daily Pulse directly in your Inbox!

  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2026 Crypto Pulse Daily - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.

Cleantalk Pixel
  • bitcoinBitcoin(BTC)$64,552.00-1.27%
  • ethereumEthereum(ETH)$1,882.19-2.42%
  • tetherTether(USDT)$1.000.01%
  • binancecoinBNB(BNB)$579.38-0.29%
  • usd-coinUSDC(USDC)$1.000.01%
  • rippleXRP(XRP)$1.11-0.92%
  • solanaSolana(SOL)$76.54-1.95%
  • tronTRON(TRX)$0.323128-1.24%
  • Figure HelocFigure Heloc(FIGR_HELOC)$1.040.09%
  • HyperliquidHyperliquid(HYPE)$65.95-3.54%