A new macOS malware dubbed notnullOSX has emerged in early 2026, specifically designed to pilfer cryptocurrency from Mac users holding digital assets exceeding $10,000. This sophisticated threat operates with meticulous precision, aiming to appear entirely legitimate throughout its infiltration process, posing a significant risk to unsuspecting users.
Researchers at Moonlock Lab first observed notnullOSX on March 30, 2026, with initial detections reported in Vietnam, Taiwan, and Spain. Their analysis points to a multi-stage distribution strategy that cunningly combines fabricated Google documents, a polished fake wallpaper website, and a compromised YouTube channel to ensnare its targets. The operation is notably precise; before a victim is approached, the attackers reportedly fill out a submission form that details the target’s wallet address, social media presence, and crucially, their wallet balance, with a stated minimum threshold of $10,000 for any submission to be processed.
The Infection Chain of notnullOSX Malware
The infection process begins with a victim receiving a seemingly legitimate “protected” Google document. Upon opening, a fraudulent interface displays citing an encryption error attributed to an outdated “Google API Connector.” Two options are presented to resolve this issue, both leading to the same malware installation. One pathway, labeled ClickFix, instructs the user to paste a Terminal command. Executing this command silently downloads and deploys the notnullOSX malware in the background.
The second distribution method involves a fake disk image file named WallSpace.app, masquerading as a genuine macOS live wallpaper application. Traffic to the malicious WallSpace website is reportedly driven by a YouTube channel, originally created in 2015. Within a mere two weeks of uploading a single video, this decade-old account, previously with minimal subscribers, garnered tens of thousands of views, suggesting a compromise and its repurposing for malware distribution.
Once successfully installed, notnullOSX operates covertly, steadily extracting data from various sensitive sources. This includes information from iMessages, Apple Notes, Safari cookies, browser passwords, Telegram sessions, and a wide array of cryptocurrency wallets such as Bitcoin Core, Exodus, and Electrum. A particularly alarming component is a module named ReplaceApp, which deceptively replaces legitimate hardware wallet applications like Ledger Live with malicious copies. These clones are designed to intercept seed phrases during the wallet setup process, a tactic that could easily go undetected by users.
Furthermore, the malware maintains a continuous connection to the attacker’s command-and-control server. This persistent link allows the operators to issue fresh instructions to infected machines long after the initial compromise has occurred, enabling ongoing exploitation and adaptation of the attack.
The Mechanics of the ClickFix and WallSpace Distribution
The ClickFix infection path exploits the trust users, particularly developers and cryptocurrency enthusiasts, place in their Terminal application. The base64-encoded command presented to the victim decodes into a curl command that fetches a bash installer script from a remote server. This script then downloads a Mach-O binary, modifies its permissions to make it executable, removes Apple’s Gatekeeper quarantine flag, and establishes a LaunchAgent to ensure automatic execution upon system startup. Following this, the victim is guided to grant Full Disk Access within System Settings, a critical step in the malware’s operation.
Granting Full Disk Access effectively bypasses macOS’s Transparency, Consent, and Control (TCC) framework. This framework typically requires explicit user permission for applications to access sensitive data like Messages, Notes, Safari cookies, and Contacts. With Full Disk Access granted, notnullOSX can silently read all protected folders without triggering any individual pop-up prompts, as the user has inadvertently provided the necessary permissions believing it to be a standard installation requirement.
.webp)
The DMG pathway, utilizing the fake WallSpace app, is similarly deceptive but presents a more straightforward process from the victim’s viewpoint. Mounting the disk image reveals three files: an installer script, a README file, and a Terminal shortcut. The README guides the user through the installation steps, and the shortcut automatically launches Terminal from the mounted volume. The installer script, despite its size, appears as plain text that, when decoded, reveals the same malware implant used in the ClickFix chain.
.webp)
Moonlock Lab’s analysis confirmed that the malware binary is a 27.74 MB Mach-O file supporting both Apple Silicon and Intel Macs. Upon its discovery, only 10 out of 64 vendors on VirusTotal flagged the binary, indicating that most standard security tools would likely overlook it. The origin of this malware can be traced back to 2023 when a developer known as 0xFFF left an underground hacking forum after believing he was under investigation. He later reappeared in August 2024 under the alias alh1mik, offering a new macOS stealer in exchange for reinstatement, which ultimately materialized as notnullOSX.
Evolving Threats and Defense Strategies
To mitigate the risk posed by notnullOSX and similar emerging macOS threats, users and security teams are advised to adopt stringent security practices. It is paramount to never execute Terminal commands sourced from untrusted origins such as web browsers, document descriptions, or YouTube video links. Any application requesting Full Disk Access during installation should be treated with extreme suspicion, necessitating verification of the developer’s legitimacy before granting such permissions.
Regular auditing of the ~/Library/LaunchAgents/ folder for unfamiliar or unexpected files is also recommended. Security teams should implement measures to block and monitor outbound connections to the domain mactest-6b2ab-default-rtdb[.]firebaseio.com and flag Mach-O binaries downloaded from cdn.filestackcontent[.]com. Additionally, alerts should be generated for any process that calls `xattr -rd com.apple.quarantine` from within a browser or document context. Finally, continuous monitoring of the /tmp directory for transient Mach-O files, particularly those matching naming patterns like SystemInfoGrab, CryptoWalletsGrab, or ReplaceApp, can help detect active infections.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
