In early 2026, a new threat emerged for Mac users as a sophisticated malware named notnullOSX began targeting digital asset holders. Designed to steal cryptocurrency from anyone holding digital assets worth over $10,000, this malware poses a significant risk by masquerading as legitimate software throughout its infection process.
Background and Development of notnullOSX
The origins of this malware trace back to 2023, involving a developer known as 0xFFF who vanished from a notorious hacking forum over fears of investigation by security services. Returning in 2024 under the alias alh1mik, he offered a new macOS stealer, which later materialized as notnullOSX. This malicious software was crafted using the Go programming language and distributed through social engineering, a counterfeit wallpaper app, and a compromised YouTube channel.
Distribution and Targeting Tactics
Moonlock Lab detected notnullOSX on March 30, 2026, across Vietnam, Taiwan, and Spain. The malware’s distribution involves sophisticated layers, including fake Google documents and a hijacked YouTube channel. Operators identify targets by submitting forms detailing users’ wallet addresses and balances, ensuring victims have assets exceeding $10,000 before proceeding.
The initial attack vector is a deceptive Google document, leading victims to believe they need to fix an encryption error caused by an outdated API. Options provided either download the malware through a Terminal command or a disk image masquerading as a wallpaper app. The compromised YouTube account used to lure victims had amassed significant views, indicating a hijacking incident.
Functionality and Risks of notnullOSX
Once installed, notnullOSX operates covertly, extracting information from various applications and browser sessions. It can replace legitimate wallet apps with malicious versions to capture seed phrases, maintaining a connection with the attacker’s server for ongoing instructions. This makes it a persistent threat to macOS users.
The infection chain relies on user trust in Terminal commands. A base64 command decodes into a script fetching a binary from a server, bypassing Apple’s security measures by requiring Full Disk Access. This grants the malware comprehensive access to sensitive data without user prompts.
Preventative Measures Against notnullOSX
To mitigate this threat, users should avoid executing Terminal commands from untrusted sources and be wary of applications requesting Full Disk Access. Regular audits of system folders and monitoring for unusual network activities can also help detect unauthorized activities. Security teams should block suspicious connections and flag unusual file downloads for further investigation.
Staying informed and vigilant is crucial as cyber threats evolve. Follow trusted sources for updates on cybersecurity measures and potential threats.
