New MacOS Malware Targets Crypto Wallets with ClickFix

New MacOS Malware Targets Crypto Wallets with ClickFix

Posted on By CWS

A recent cybersecurity threat has emerged, targeting MacOS users with cryptocurrency wallets exceeding $10,000. Known as notnullOSX, this info-stealer malware employs sophisticated tactics to infiltrate systems, including social engineering through ClickFix and harmful DMG files.

Origins and Evolution of notnullOSX

Initially developed by the coder 0xFFF in 2022, notnullOSX was discussed in underground forums as a potential MacOS threat. Following a controversial exit in 2023, 0xFFF resurfaced under a new identity in 2024, offering a new version of the malware for $400 monthly.

Moonlock Lab researchers identified the first instances of notnullOSX in March 2026 across Vietnam, Taiwan, and Spain. The malware is specifically designed to target victims through a detailed submission form that includes personal and financial information.

Infection Methodologies and Distribution Channels

The infection process begins with a deceptive Google document, prompting users to execute commands via ClickFix or to download a compromised DMG file. Both methods result in the installation of the malware without alerting security systems.

Distribution efforts extend to a phony product page for a wallpaper app, WallSpace, and promotional videos on a hijacked YouTube channel, suggesting the use of paid advertising strategies to reach a broader audience.

Technical Capabilities and User Risks

notnullOSX presents a significant threat by exploiting MacOS’s TCC framework, leading users to unknowingly grant Full Disk Access. This permission allows the malware to access sensitive data such as messages and browser cookies without further alerts.

The malware features a modular design, downloading specific components for various data theft tasks, including iMessage, Apple Notes, and cryptocurrency wallet data. One module, ReplaceApp, can replace legitimate wallet apps with malicious versions to capture sensitive data.

To mitigate these risks, security experts advise blocking known C2 domains, scrutinizing Full Disk Access requests, and monitoring system directories for suspicious files. Users should remain vigilant by avoiding suspicious terminal commands and verifying app permissions regularly.

For ongoing updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and set us as a preferred source on Google.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

PoC Exploit Released for Remotely Exploitable Oracle E-Business Suite 0-Day Vulnerability PoC Exploit Released for Remotely Exploitable Oracle E-Business Suite 0-Day Vulnerability Cyber Security News
Here’s How to Spot Them Early Here’s How to Spot Them Early Cyber Security News
WaterPlum’s New Malware Threatens VSCode Security WaterPlum’s New Malware Threatens VSCode Security Cyber Security News
BreachLock Named Representative Provider for Penetration Testing as a Service (PTaaS) in New Gartner® Report BreachLock Named Representative Provider for Penetration Testing as a Service (PTaaS) in New Gartner® Report Cyber Security News
CISA Demands Removal of Outdated Network Devices CISA Demands Removal of Outdated Network Devices Cyber Security News
Beware of Weaponized AI Tool Installers That Infect Your Devices With Ransomware Beware of Weaponized AI Tool Installers That Infect Your Devices With Ransomware Cyber Security News