Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Parrot OS 7.3 Released With Security Updates, Optimized Packages
July 6, 2026
T3MP3ST Security Framework Uses AI to Automate 0-Day Vulnerability Discovery
July 5, 2026
Home/Threats/Fake Wallpaper App, YouTube Channel Deliver notnullOSX Malware
Threats

Fake Wallpaper App, YouTube Channel Deliver notnullOSX Malware

Key Takeaways A new macOS malware, notnullOSX, is actively targeting Mac users with over $10,000 in cryptocurrency holdings. The threat actor, known as alh1mik (formerly 0xFFF), employs sophisticated...

Sarah simpson
Sarah simpson
April 23, 2026 5 Min Read
37 0

Key Takeaways

  • A new macOS malware, notnullOSX, is actively targeting Mac users with over $10,000 in cryptocurrency holdings.
  • The threat actor, known as alh1mik (formerly 0xFFF), employs sophisticated social engineering tactics, including fake Google documents, a deceptive wallpaper app, and a hijacked YouTube channel.
  • notnullOSX steals data from various applications, including iMessage, Apple Notes, Safari, Telegram, and multiple crypto wallets, and can even swap legitimate hardware wallet apps with malicious clones.
  • The malware bypasses macOS security by tricking users into granting Full Disk Access, allowing it to operate silently and persistently.
  • At the time of its discovery, most antivirus solutions failed to detect notnullOSX.

Sophisticated notnullOSX Malware Targets macOS Crypto Holders

A new and highly deceptive macOS malware, dubbed notnullOSX, has emerged in early 2026, specifically engineered to pilfer cryptocurrency from Mac users whose digital assets exceed a value of $10,000. This threat is not theoretical; it is operational, meticulously crafted to appear entirely legitimate throughout its entire infection lifecycle, making it particularly dangerous.

Table Of Content

  • Key Takeaways
  • Sophisticated notnullOSX Malware Targets macOS Crypto Holders
  • The Return of a Notorious Hacker
  • Targeting High-Value Cryptocurrency Wallets
  • The Multi-Layered Infection Chain
  • Post-Infection Capabilities and Data Exfiltration
  • How notnullOSX Bypasses macOS Security
  • What You Should Do

The Return of a Notorious Hacker

The origins of notnullOSX trace back to 2023, when a developer operating under the online pseudonym 0xFFF abruptly vanished from a prominent underground hacking forum. This sudden departure was reportedly triggered by a elaborate deception, leading 0xFFF to believe he was under investigation by Russian and Ukrainian security services.

In August 2024, the individual resurfaced on the forum, now using the alias alh1mik. He offered an apology to the community and proposed a tangible peace offering: a brand-new macOS stealer, designed to secure his reinstatement. By early 2026, this promise materialized as notnullOSX, a sophisticated stealer written in Go, distributed through cunning social engineering, a fraudulent wallpaper application, and a compromised YouTube channel.

Targeting High-Value Cryptocurrency Wallets

The primary objective of notnullOSX is unequivocally clear: to drain cryptocurrency holdings from macOS users, specifically those with balances exceeding the $10,000 threshold. Researchers at Moonlock Lab first detected and documented notnullOSX on March 30, 2026, observing initial infections across Vietnam, Taiwan, and Spain. Their analysis of telemetry data revealed a multi-pronged distribution strategy, leveraging fake Google documents, a convincingly designed fake wallpaper website, and a hijacked YouTube account to ensnare unsuspecting Mac users.

Crucially, the targeting is not indiscriminate. Before an attack is initiated, operators meticulously complete a submission form, providing the target’s wallet address, social media profiles, and current wallet balance. The malware’s internal documentation explicitly mandates a minimum threshold of $10,000; submissions below this amount are simply disregarded.

The Multi-Layered Infection Chain

The attack typically commences with the victim receiving a deceptive “protected” Google document. Upon opening, a convincing but fraudulent interface appears, displaying an encryption error falsely attributed to an outdated “Google API Connector.” Two purported solutions are presented, both leading to the same malware payload. One option, labeled “ClickFix,” instructs the user to execute a Terminal command. When pasted and run, this command silently downloads and installs the malware. The alternative path involves a fake disk image file named WallSpace.app, cleverly disguised as a legitimate macOS live wallpaper application.

Traffic to the malicious website hosting WallSpace.app was generated by a hijacked YouTube channel, originally registered in 2015. Within two weeks of uploading a single video related to the fake wallpaper app, this compromised channel accumulated an astonishing 50,000 views. This sudden surge in viewership for a decade-old account with minimal prior activity is a strong indicator of compromise, used to push the malware to unsuspecting viewers.

Post-Infection Capabilities and Data Exfiltration

Once installed, notnullOSX operates stealthily and maintains persistence on the compromised system. It proceeds to extract sensitive data from a wide array of applications, including iMessages, Apple Notes, Safari browser cookies and saved passwords, Telegram sessions, and numerous cryptocurrency wallets such as Bitcoin Core, Exodus, and Electrum.

A particularly alarming module within notnullOSX is “ReplaceApp,” which surreptitiously substitutes legitimate hardware wallet applications, like Ledger Live, with malicious clones. These fraudulent applications are designed to intercept seed phrases during wallet setup, a critical security vulnerability that many users may fail to detect. Furthermore, the implant establishes a persistent, live connection to the attacker’s command-and-control server, enabling operators to issue new instructions to infected machines long after the initial compromise.

How notnullOSX Bypasses macOS Security

The “ClickFix” infection vector heavily exploits the trust users, particularly developers and crypto enthusiasts, place in their Terminal application. The base64-encoded command presented to the victim decodes into a curl command, which fetches a bash installer script from a remote server. This script then downloads a Mach-O binary, grants it executable permissions, removes Apple’s Gatekeeper quarantine flag, and configures a LaunchAgent for automatic execution upon startup. Crucially, the victim is then guided through the process of enabling Full Disk Access in System Settings – the most critical step in the entire attack chain.

Granting Full Disk Access effectively bypasses macOS’s Transparency, Consent, and Control (TCC) framework. This framework typically requires explicit individual permission prompts before any application can access sensitive data such as Messages, Notes, Safari cookies, and Contacts. By convincing the victim to grant Full Disk Access, the malware silently circumvents all these individual prompts simultaneously, allowing it to read every protected folder without triggering a single pop-up. Victims unwittingly hand over the “keys” to their system, believing it to be a standard installation requirement.

The DMG path, involving the fake WallSpace app, is equally deceptive but slightly more streamlined from the victim’s perspective. Mounting the disk image reveals three items: an installer script, a README file, and a Terminal shortcut. The README guides the victim through the installation steps, while the shortcut automatically opens Terminal from the mounted volume. The installer script, despite its size of nearly 299 KB, initially appears as plain text. However, when decoded, it reveals the identical malware implant used in the “ClickFix” chain.

Moonlock Lab’s analysis confirmed that the malware binary is a 27.74 MB multi-architecture Mach-O file, compatible with both Apple Silicon and Intel Macs. At the time of its discovery, a concerning statistic emerged: only 10 out of 64 vendors on VirusTotal flagged the malware, indicating that the vast majority of standard detection tools would have failed to identify it.

What You Should Do

  • Never paste Terminal commands: Avoid executing Terminal commands copied from browsers, documents, or YouTube video descriptions, regardless of how legitimate they appear.
  • Verify Full Disk Access requests: Treat any application that requests Full Disk Access during installation with extreme suspicion. Always verify the developer and the necessity of such extensive permissions before granting them.
  • Audit LaunchAgents: Regularly inspect the ~/Library/LaunchAgents/ folder for any unfamiliar or unexpected files that could indicate persistent malware.
  • Network Monitoring (for security teams): Block and monitor outbound connections to mactest-6b2ab-default-rtdb[.]firebaseio.com and flag Mach-O binaries downloaded from cdn.filestackcontent[.]com.
  • Process Monitoring (for security teams): Configure alerts for any process that calls xattr -rd com.apple.quarantine, especially if initiated from a browser or document context.
  • Check /tmp directory: Periodically check the /tmp directory for short-lived Mach-O files, particularly those with suspicious names like “SystemInfoGrab,” “CryptoWalletsGrab,” or “ReplaceApp.”

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Fake TradingView AI Agent Site Spreads Needle Stealer Malware

Next Post

Bitwarden CLI Supply Chain Attack Exposes Secrets Via GitHub Actions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us