By Interestana AI Editorial — AI-drafted, human-overseen. How we report
New macOS Stealer Kills Apps Until Password Entered

ClickLock Stealer, a novel infostealer targeting macOS, employs a disruptive tactic by repeatedly terminating user applications in a loop until the victim divulges their login password. The malware is initiated through a command pasted into the Terminal application. Following execution, it presents a deceptive system dialog requesting the user's password. If the user attempts to cancel this prompt, the malware proceeds to install two LaunchAgents, which are persistent background processes, before exiting stealthily.
Upon the user's next login, ClickLock Stealer actively targets and terminates critical macOS applications. These include Finder, the Dock, Spotlight, Terminal, and Activity Monitor, effectively rendering the system difficult to use and manage. The continuous application termination is designed to create a frustrating user experience, pressuring the victim to enter their password to cease the disruption. This method aims to bypass standard security measures by leveraging user interaction and system-level commands.
The malware's distribution method, requiring a command to be pasted into Terminal, suggests a social engineering vector or a compromised software distribution channel. Once installed, the LaunchAgents ensure that ClickLock Stealer remains active and continues its disruptive behavior across user sessions. The specific list of terminated applications highlights an effort to cripple core system functionalities, making it challenging for users to identify or remove the malware without providing the requested credentials.
While the exact origins and full capabilities of ClickLock Stealer are still under investigation, its unique approach of application termination as a coercion tactic represents a notable evolution in macOS-specific malware. Security researchers are analyzing the malware's code to understand its full scope, including its data exfiltration capabilities, which are typical of infostealers. The continuous killing of applications occurs approximately every 210 milliseconds, creating an immediate and persistent nuisance for affected users.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.