Fake Verification Trap Uses ClickLock to Freeze Macs and Steal Passwords

A fake Cloudflare verification page is being used to lure Mac users into running Terminal commands that can install the ClickLock malware. The threat can then cripple normal macOS operation while repeatedly pushing victims to enter their system password.

The attack relies on social engineering rather than a technical vulnerability to gain access. Users are told to copy and run a command as part of a supposed check that they are not bots, even though legitimate Cloudflare verification does not require opening Terminal.

A Password Prompt Designed to Look Familiar

Once active, ClickLock displays password prompts designed to resemble official macOS dialogs. The fraudulent window includes the user account name and an Apple logo, making the request appear more credible during a system disruption.

The malware seeks to create pressure rather than merely display a deceptive prompt. It repeatedly stops important macOS processes at intervals of roughly 210 milliseconds, leaving the computer close to unusable.

Group-IB said the disruption can continue for more than 83 hours if a victim does not provide their credentials. ClickLock may also reactivate after the computer is restarted, meaning an ordinary reboot may not resolve the issue.

Notifications can be disabled, the Terminal cursor can be hidden, and several system functions can be blocked. These actions make it harder for users to identify suspicious activity while the false password request remains on screen.

Browser Sessions and Crypto Wallet Data Also Targeted

ClickLock is not limited to collecting the macOS login password. It also attempts to access Apple Keychain to unlock Chrome storage containing saved passwords, cookies, and autofill information.

Active login sessions may be exposed along with data stored in browsers. This creates risks beyond a password entered into a fake system dialog, particularly for accounts that remain signed in.

TargetData SoughtExamples
BrowsersPasswords, cookies, bookmarks, history, login sessionsChrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Chromium
Crypto walletsWallet data from browsers and desktop applicationsBitcoin, Ethereum, Solana, TRON, TON, Stacks

The malware is reported to target Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Chromium in addition to Chrome. It can seek browser information such as stored passwords, cookies, bookmarks, browsing history, and active sessions.

Crypto wallet information stored in browsers and desktop applications is another focus. The listed targets include wallet-related data connected to Bitcoin, Ethereum, Solana, TRON, TON, and Stacks.

Reported Infections Across 33 Countries

BleepingComputer, as cited by Beritasatu.com, reported that ClickLock had infected at least 100 devices in 33 countries since May 2026. When a sample was uploaded to VirusTotal in June 2026, no antivirus engine identified it as malware.

The reported detection gap underscores why the initial lure is important in this attack. A user who runs a command from a fraudulent verification page may unknowingly enable the malware download.

What to Do When a Mac Keeps Requesting a Password

Mac users should not run Terminal commands simply because a website instructs them to do so. A familiar-looking verification screen is not proof that the request is legitimate.

If a Mac suddenly becomes difficult to use and keeps requesting a system password, users should avoid entering their credentials immediately. The device can be forced to shut down with the power button and then started in safe mode for a system check before the password is used again.

Related