Back to Intelligence

ClickLock Stealer: Analyzing macOS Gatekeeper Bypass and Process Termination Attacks

SA
Security Arsenal Team
July 16, 2026
5 min read

The macOS threat landscape continues to mature, with infostealers evolving increasingly sophisticated methods to evade Apple's native protections. The recent emergence of ClickLock Stealer highlights a dangerous shift: the combination of targeted social engineering to bypass Gatekeeper and the active termination of security monitoring processes. For SOC analysts and endpoint defenders, this represents a critical failure point in standard trust architectures. If a threat actor can convince a user to override security controls and then blind the monitoring tools, the endpoint is effectively compromised. This post breaks down the ClickLock attack chain and provides actionable detection logic and hardening steps.

Technical Analysis

Threat Profile: ClickLock Stealer Affected Platform: macOS (Recent versions) Attack Vector: Malicious application bundles (DMG/PKG) Primary Goal: Theft of credentials, cookies, and cryptocurrency wallet data.

Attack Chain Breakdown

  1. Initial Access & Social Engineering: The attack begins with a phishing campaign or malvertising distributing a malicious application file. The file is often unsigned or signed with an ad-hoc signature. Upon execution, macOS Gatekeeper blocks the app.

  2. Bypassing Gatekeeper: ClickLock leverages social engineering prompts (e.g., "To install this update, right-click and open") to trick the user into manually allowing the application to run. This action effectively tells the operating system to trust the binary, bypassing the security check.

  3. Defense Evasion (Process Killing): Once executed, the malware performs a check for running security processes. It specifically targets EDR agents, firewalls, and monitoring tools. The "Process Killing" capability involves spawning shell commands to terminate these processes, severing the telemetry link to the SOC.

  4. Payload Execution: With defenses neutralized, the stealer injects or loads its payload to iterate through browser data (Chrome, Firefox, Brave) and crypto wallets, exfiltrating data to a Command and Control (C2) server.

Exploitation Status

Active exploitation has been confirmed in the wild. This is not a theoretical proof-of-concept; it is a functional campaign targeting macOS users in sectors where high-value credentials are prevalent.

Detection & Response

Defending against ClickLock requires monitoring for two distinct behaviors: the suspicious execution of Gatekeeper-bypassed binaries and the active termination of security-related processes.

SIGMA Rules

YAML
---
title: ClickLock Stealer - macOS Security Process Termination
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects attempts to terminate known macOS security tools or EDR processes using pkill or killall, a behavior observed in ClickLock and similar stealers.
references:
 - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.defense_evasion
 - attack.t1562.001
logsource:
 category: process_creation
 product: macos
detection:
 selection_kill:
   Image|endswith:
     - '/pkill'
     - '/killall'
   CommandLine|contains:
     - 'Little Snitch'
     - 'Lulu'
     - 'BlockBlock'
     - 'KnockKnock'
     - 'Escrow Buddy'
     - 'santa'
     - 'crowdstrike'
     - 'sentinelone'
     - 'carbon black'
 condition: selection_kill
falsepositives:
 - Administrators legitimately troubleshooting security software
level: high
---
title: ClickLock Stealer - Gatekeeper Bypass via Right-Click Open
id: 9b2c3d4e-5f60-7890-1234-567890abcdef
status: experimental
description: Detects execution of applications with the com.apple.quarantine attribute that were launched outside the standard verification path, often via "Open" context menu override.
references:
 - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1204.002
logsource:
 category: process_creation
 product: macos
detection:
 selection:
   CommandLine|contains: 'com.apple.quarantine'
   Image|endswith:
     - '/bash'
     - '/sh'
     - '/zsh'
 filter_generic:
   ParentImage|endswith:
     - '/Terminal.app'
     - '/iTerm2'
 condition: selection and not filter_generic
falsepositives:
 - Users manually unzipping or opening legitimate legacy tools
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for process termination events targeting common macOS security daemons and agents.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceOSType == "MacOS"
| where ProcessCommandLine has_any ("pkill", "killall")
| where ProcessCommandLine has_any ("Little Snitch", "Lulu", "KnockKnock", "BlockBlock", "Santa", "CrowdStrike", "SentinelOne", "Jamf", "alfred")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

Hunt for suspicious processes attempting to kill other processes on the macOS endpoint.

VQL — Velociraptor
-- Hunt for processes attempting to kill security tools
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name IN ('killall', 'pkill', 'kill')
  AND CommandLine =~ '(security|protect|guard|snitch|sentinel|crowd|jamf|santa)'

Remediation Script (Bash)

This script verifies Gatekeeper status and ensures critical security processes are not tampered with.

Bash / Shell
#!/bin/bash

# Check Gatekeeper Status
echo "[+] Checking Gatekeeper status..."
spctl --status

# If Gatekeeper is disabled, enable it
if ! spctl --status | grep -q "assessments enabled"; then
    echo "[!] Gatekeeper is disabled. Enabling..."
    sudo spctl --master-enable
else
    echo "[+] Gatekeeper is active."
fi

echo "[+] Checking for unsigned or quarantined applications in common download folders..."
# Look for apps with quarantine attributes in Downloads
find ~/Downloads -iname "*.app" -exec xattr -l {} \; | grep -i "com.apple.quarantine"

echo "[+] Verifying status of common security daemons..."
# Add your specific EDR or security tool process names here
for proc in "Little Snitch" "LuLu" "Santa" "CrowdStrike" "SentinelOne"; do
  if pgrep -x "$proc" > /dev/null; then
    echo "[+] $proc is running."
  else
    echo "[!] WARNING: $proc is not running or was terminated."
  fi
done

Remediation

  1. Enforce Gatekeeper: Ensure all endpoints are configured with spctl --master-enable. Prevent users from overriding this setting via MDM profiles (Privacy Preferences Policy Control).

  2. Application Whitelisting: Deploy a robust allow-listing solution (such as Santa or Crowdstrike Control) to prevent the execution of unsigned binaries entirely.

  3. User Awareness Campaign: Immediately educate high-risk users on the dangers of bypassing macOS security prompts. The instruction "Right-click and Open" should be treated as a severe security red flag.

  4. Endpoint Hardening: Configure TCC (Transparency, Consent, and Control) policies to restrict accessibility of sensitive data (Keychain, Browser folders) to only signed, verified applications.

  5. Review EDR Tampering Rules: Ensure your EDR solution has "Self-Protection" or "Tamper Protection" enabled to prevent malware from terminating the security agent process.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringmacosstealerclicklockgatekeeper-bypassedr-evasion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.