Hackers Target High-Value Crypto Holders with New macOS Stealer: notnullOSX
A sophisticated new macOS info-stealer, dubbed notnullOSX, has emerged, specifically targeting cryptocurrency holders with wallets valued at over $10,000. This advanced malware employs a dual-pronged attack strategy, leveraging social engineering through a tool called ClickFix and distributing malicious DMG disk image files to stealthily compromise Apple Mac systems. The highly targeted nature of notnullOSX suggests a deliberate and calculated approach by its operators, who meticulously select their victims before initiating an attack.
The origins of notnullOSX can be traced back to 2022, with a developer known as 0xFFF first discussing a rudimentary macOS stealer on underground forums. Following a contentious departure in 2023, where the developer allegedly faced a fabricated law enforcement tip orchestrated by a competitor, 0xFFF disappeared, leaving dissatisfied customers without refunds. In August 2024, the same individual reappeared under the alias alh1mik, issuing an apology and reopening pre-orders for an updated macOS stealer at a monthly subscription of $400. The development of this new threat, notnullOSX, has now come to fruition by 2026.
Researchers at Moonlock Lab first registered detections of notnullOSX on March 30, 2026, observing infections across Vietnam, Taiwan, and Spain. Their analysis revealed the meticulous planning involved, as attackers are required to complete a submission form detailing the target’s social media profiles, wallet address, and communication history before any attack is launched. A strict minimum wallet threshold of $10,000 is enforced, with any submissions falling below this amount being automatically rejected.
The infection chain begins with a deceptive fake protected Google document, which presents a spurious encryption error. This prompt directs the victim towards one of two actions, both designed to lead to the installation of the malware. The first method utilizes ClickFix, instructing the victim to open the Terminal application and paste a base64-encoded command. This command silently downloads and executes a remote bash installer script. Alternatively, the second attack vector involves a malicious DMG disk image. This image contains seemingly innocuous files like a README, an install script, and a Terminal shortcut, all carefully packaged to appear legitimate. In either scenario, victims are tricked into installing the malware without triggering any security warnings, highlighting the effectiveness of the social engineering employed.
Further expanding its distribution network, the attackers created a fake product page for a wallpaper application named WallSpace at wallpapermacos[.]com. This page featured professionally designed screenshots and a prominent free download button. Additionally, a dormant YouTube channel, inactive since 2015, was reactivated to promote the fake app. A single promotional video for WallSpace garnered 50,000 views within two weeks, suggesting the use of paid promotion or sophisticated SEO manipulation techniques.
Inside the Attack: TCC Bypass and Modular Data Theft
What makes notnullOSX particularly potent is its ability to circumvent macOS’s native security features. Under normal circumstances, Apple’s Transparency, Consent, and Control (TCC) framework prompts users with a pop-up notification whenever an application attempts to access sensitive data, such as messages, notes, or browser cookies. However, notnullOSX engineers a workaround by expertly guiding victims into manually granting Full Disk Access within System Settings. This single permission grants the malware access to all protected data categories without requiring any further user interaction or dialogs.
The malware operates with a modular architecture, enabling it to download specialized binaries from its command and control (C2) server to execute specific data theft operations. Researchers have identified several confirmed modules, including iMessageGrab, AppleNotesGrab, CryptoWalletsGrab, BrowserGrab, TelegramGrab, CredsGrab, and ReplaceApp. The ReplaceApp module is of particular concern, as it can silently replace legitimate hardware wallet applications, such as Ledger Live, with a trojanized clone. This clone is designed to intercept seed phrases during the setup process, posing a significant risk even to users who rely on hardware wallets.
Beyond its data theft capabilities, notnullOSX maintains a persistent WebSocket connection with a Firebase-hosted C2 server. This persistent connection allows the malware to send regular heartbeats and await remote commands, demonstrating behavior more akin to that of a sophisticated remote access trojan rather than a simple one-time data stealer.
Security teams are advised by Moonlock Lab to block outbound connections to the identified C2 domain, implement alerts for any unrecognized applications being granted Full Disk Access, and monitor the /tmp directory for staged Mach-O binaries. For individual Mac users, especially those engaged with cryptocurrency, essential precautions include refraining from pasting Terminal commands from untrusted sources, treating any application requesting Full Disk Access during installation with extreme suspicion, and regularly checking the ~/Library/LaunchAgents/ directory for unfamiliar entries.