Fake Wallpaper App, YouTube Channel Deliver notnullOSX Malware
Key Takeaways A new macOS malware, notnullOSX, is actively targeting Mac users with over $10,000 in cryptocurrency holdings. The threat actor, known as alh1mik (formerly 0xFFF), employs sophisticated...
Key Takeaways
- A new macOS malware, notnullOSX, is actively targeting Mac users with over $10,000 in cryptocurrency holdings.
- The threat actor, known as alh1mik (formerly 0xFFF), employs sophisticated social engineering tactics, including fake Google documents, a deceptive wallpaper app, and a hijacked YouTube channel.
- notnullOSX steals data from various applications, including iMessage, Apple Notes, Safari, Telegram, and multiple crypto wallets, and can even swap legitimate hardware wallet apps with malicious clones.
- The malware bypasses macOS security by tricking users into granting Full Disk Access, allowing it to operate silently and persistently.
- At the time of its discovery, most antivirus solutions failed to detect notnullOSX.
Sophisticated notnullOSX Malware Targets macOS Crypto Holders
A new and highly deceptive macOS malware, dubbed notnullOSX, has emerged in early 2026, specifically engineered to pilfer cryptocurrency from Mac users whose digital assets exceed a value of $10,000. This threat is not theoretical; it is operational, meticulously crafted to appear entirely legitimate throughout its entire infection lifecycle, making it particularly dangerous.
Table Of Content
The Return of a Notorious Hacker
The origins of notnullOSX trace back to 2023, when a developer operating under the online pseudonym 0xFFF abruptly vanished from a prominent underground hacking forum. This sudden departure was reportedly triggered by a elaborate deception, leading 0xFFF to believe he was under investigation by Russian and Ukrainian security services.
In August 2024, the individual resurfaced on the forum, now using the alias alh1mik. He offered an apology to the community and proposed a tangible peace offering: a brand-new macOS stealer, designed to secure his reinstatement. By early 2026, this promise materialized as notnullOSX, a sophisticated stealer written in Go, distributed through cunning social engineering, a fraudulent wallpaper application, and a compromised YouTube channel.
Targeting High-Value Cryptocurrency Wallets
The primary objective of notnullOSX is unequivocally clear: to drain cryptocurrency holdings from macOS users, specifically those with balances exceeding the $10,000 threshold. Researchers at Moonlock Lab first detected and documented notnullOSX on March 30, 2026, observing initial infections across Vietnam, Taiwan, and Spain. Their analysis of telemetry data revealed a multi-pronged distribution strategy, leveraging fake Google documents, a convincingly designed fake wallpaper website, and a hijacked YouTube account to ensnare unsuspecting Mac users.
Crucially, the targeting is not indiscriminate. Before an attack is initiated, operators meticulously complete a submission form, providing the target’s wallet address, social media profiles, and current wallet balance. The malware’s internal documentation explicitly mandates a minimum threshold of $10,000; submissions below this amount are simply disregarded.
The Multi-Layered Infection Chain
The attack typically commences with the victim receiving a deceptive “protected” Google document. Upon opening, a convincing but fraudulent interface appears, displaying an encryption error falsely attributed to an outdated “Google API Connector.” Two purported solutions are presented, both leading to the same malware payload. One option, labeled “ClickFix,” instructs the user to execute a Terminal command. When pasted and run, this command silently downloads and installs the malware. The alternative path involves a fake disk image file named WallSpace.app, cleverly disguised as a legitimate macOS live wallpaper application.
Traffic to the malicious website hosting WallSpace.app was generated by a hijacked YouTube channel, originally registered in 2015. Within two weeks of uploading a single video related to the fake wallpaper app, this compromised channel accumulated an astonishing 50,000 views. This sudden surge in viewership for a decade-old account with minimal prior activity is a strong indicator of compromise, used to push the malware to unsuspecting viewers.
Post-Infection Capabilities and Data Exfiltration
Once installed, notnullOSX operates stealthily and maintains persistence on the compromised system. It proceeds to extract sensitive data from a wide array of applications, including iMessages, Apple Notes, Safari browser cookies and saved passwords, Telegram sessions, and numerous cryptocurrency wallets such as Bitcoin Core, Exodus, and Electrum.
A particularly alarming module within notnullOSX is “ReplaceApp,” which surreptitiously substitutes legitimate hardware wallet applications, like Ledger Live, with malicious clones. These fraudulent applications are designed to intercept seed phrases during wallet setup, a critical security vulnerability that many users may fail to detect. Furthermore, the implant establishes a persistent, live connection to the attacker’s command-and-control server, enabling operators to issue new instructions to infected machines long after the initial compromise.
How notnullOSX Bypasses macOS Security
The “ClickFix” infection vector heavily exploits the trust users, particularly developers and crypto enthusiasts, place in their Terminal application. The base64-encoded command presented to the victim decodes into a curl command, which fetches a bash installer script from a remote server. This script then downloads a Mach-O binary, grants it executable permissions, removes Apple’s Gatekeeper quarantine flag, and configures a LaunchAgent for automatic execution upon startup. Crucially, the victim is then guided through the process of enabling Full Disk Access in System Settings – the most critical step in the entire attack chain.
Granting Full Disk Access effectively bypasses macOS’s Transparency, Consent, and Control (TCC) framework. This framework typically requires explicit individual permission prompts before any application can access sensitive data such as Messages, Notes, Safari cookies, and Contacts. By convincing the victim to grant Full Disk Access, the malware silently circumvents all these individual prompts simultaneously, allowing it to read every protected folder without triggering a single pop-up. Victims unwittingly hand over the “keys” to their system, believing it to be a standard installation requirement.
The DMG path, involving the fake WallSpace app, is equally deceptive but slightly more streamlined from the victim’s perspective. Mounting the disk image reveals three items: an installer script, a README file, and a Terminal shortcut. The README guides the victim through the installation steps, while the shortcut automatically opens Terminal from the mounted volume. The installer script, despite its size of nearly 299 KB, initially appears as plain text. However, when decoded, it reveals the identical malware implant used in the “ClickFix” chain.
Moonlock Lab’s analysis confirmed that the malware binary is a 27.74 MB multi-architecture Mach-O file, compatible with both Apple Silicon and Intel Macs. At the time of its discovery, a concerning statistic emerged: only 10 out of 64 vendors on VirusTotal flagged the malware, indicating that the vast majority of standard detection tools would have failed to identify it.
What You Should Do
- Never paste Terminal commands: Avoid executing Terminal commands copied from browsers, documents, or YouTube video descriptions, regardless of how legitimate they appear.
- Verify Full Disk Access requests: Treat any application that requests Full Disk Access during installation with extreme suspicion. Always verify the developer and the necessity of such extensive permissions before granting them.
- Audit LaunchAgents: Regularly inspect the
~/Library/LaunchAgents/folder for any unfamiliar or unexpected files that could indicate persistent malware. - Network Monitoring (for security teams): Block and monitor outbound connections to
mactest-6b2ab-default-rtdb[.]firebaseio.comand flag Mach-O binaries downloaded fromcdn.filestackcontent[.]com. - Process Monitoring (for security teams): Configure alerts for any process that calls
xattr -rd com.apple.quarantine, especially if initiated from a browser or document context. - Check /tmp directory: Periodically check the
/tmpdirectory for short-lived Mach-O files, particularly those with suspicious names like “SystemInfoGrab,” “CryptoWalletsGrab,” or “ReplaceApp.”
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.