A recent cybersecurity threat has emerged, targeting MacOS users with cryptocurrency wallets exceeding $10,000. Known as notnullOSX, this info-stealer malware employs sophisticated tactics to infiltrate systems, including social engineering through ClickFix and harmful DMG files.
Origins and Evolution of notnullOSX
Initially developed by the coder 0xFFF in 2022, notnullOSX was discussed in underground forums as a potential MacOS threat. Following a controversial exit in 2023, 0xFFF resurfaced under a new identity in 2024, offering a new version of the malware for $400 monthly.
Moonlock Lab researchers identified the first instances of notnullOSX in March 2026 across Vietnam, Taiwan, and Spain. The malware is specifically designed to target victims through a detailed submission form that includes personal and financial information.
Infection Methodologies and Distribution Channels
The infection process begins with a deceptive Google document, prompting users to execute commands via ClickFix or to download a compromised DMG file. Both methods result in the installation of the malware without alerting security systems.
Distribution efforts extend to a phony product page for a wallpaper app, WallSpace, and promotional videos on a hijacked YouTube channel, suggesting the use of paid advertising strategies to reach a broader audience.
Technical Capabilities and User Risks
notnullOSX presents a significant threat by exploiting MacOS’s TCC framework, leading users to unknowingly grant Full Disk Access. This permission allows the malware to access sensitive data such as messages and browser cookies without further alerts.
The malware features a modular design, downloading specific components for various data theft tasks, including iMessage, Apple Notes, and cryptocurrency wallet data. One module, ReplaceApp, can replace legitimate wallet apps with malicious versions to capture sensitive data.
To mitigate these risks, security experts advise blocking known C2 domains, scrutinizing Full Disk Access requests, and monitoring system directories for suspicious files. Users should remain vigilant by avoiding suspicious terminal commands and verifying app permissions regularly.
For ongoing updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and set us as a preferred source on Google.
