notnullOSX Mac Stealer Targets High-Value Crypto Wallet Holders
Researchers reported a new Go-based macOS stealer and backdoor, notnullOSX, being used in highly targeted campaigns against users believed to hold more than $10,000 in cryptocurrency. The malware has been linked to the developer previously known as 0xFFF, later alh1mik, and was first detected in Vietnam, Taiwan, and Spain. Operators are distributing it through social-engineering lures including fake protected Google Docs, ClickFix terminal-prompt tricks, malicious DMG files, and counterfeit WallSpace wallpaper sites promoted through a likely hijacked YouTube channel.
Once victims are persuaded to grant Full Disk Access, notnullOSX can steal browser credentials, Safari cookies, iMessage data, Apple Notes, Telegram sessions, crypto wallet files, and developer secrets. Researchers said the malware uses a modular architecture, downloads components from cdn.filestackcontent.com, and maintains persistent command-and-control through Firebase Realtime Database using SSE, HTTP POST, heartbeat traffic, and WebSocket-style connectivity. One module, ReplaceApp, appears designed to swap legitimate wallet tools such as Ledger Live or Trezor with trojanized versions to capture seed phrases, giving the operation capabilities closer to a remote access trojan than a conventional smash-and-grab stealer.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose notnullOSX targeting high-value macOS crypto users
On April 8, 2026, Moonlock publicly analyzed notnullOSX as a modular macOS stealer and backdoor aimed at users with more than $10,000 in cryptocurrency holdings. The report described targeted delivery via fake Google Docs, ClickFix prompts, malicious DMG files, and fake WallSpace sites, along with data theft and persistence through Firebase-based command and control.
First detections of notnullOSX recorded in Vietnam, Taiwan, and Spain
Moonlock Lab recorded the first detections of the Go-based notnullOSX macOS stealer on March 30, 2026. The earliest observed activity was in Vietnam, Taiwan, and Spain.
Threat actor re-emerges as alh1mik promising a new exclusive macOS stealer
In 2024, the actor previously known as 0xFFF reportedly resurfaced under the name alh1mik and promised a new exclusive macOS stealer. Moonlock says this effort ultimately materialized as notnullOSX.
0xFFF advertises macOS stealer activity on underground forums
Moonlock traced notnullOSX's lineage to earlier macOS stealer activity by the malware developer known as 0xFFF on underground forums during 2022 and 2023. This establishes the precursor activity behind the later notnullOSX malware family.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse Fake Wallpaper App and YouTube Channel to Spread notnullOSX Malware
cybersecuritynews.com
Open sourceHigh-value crypto asset theft sought by novel notnullOSX macOS malware | brief | SC Media
scworld.com
Open sourceHackers Use ClickFix and Malicious DMG Files to Deliver notnullOSX on macOS
cybersecuritynews.com
Open sourcenotnullOSX: A new Mac stealer targeting $10K+ crypto wallets
moonlock.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DigitStealer Malware Targets macOS M2+ Devices and Cryptocurrency Wallets
A new macOS infostealer named **DigitStealer** has been discovered targeting users with Apple M2 or newer devices. The malware is distributed via a fake utility app called `DynamicLake`, which is hosted on a spoofed website. Victims are tricked into dragging a file into Terminal, initiating a largely fileless infection chain that executes malicious code directly in memory, making detection and remediation difficult. DigitStealer employs advanced anti-analysis techniques, including hardware and locale checks, to evade security tools and avoid infecting virtual machines or systems outside its target region. The malware demonstrates a high level of sophistication by hijacking legitimate cryptocurrency wallet software such as *Ledger Live* using JXA (JavaScript for Automation) and communicating with its command-and-control infrastructure via DNS-based channels. Its primary goal is to steal sensitive information, including files, passwords, and browser data, from macOS users. Security researchers warn that DigitStealer's platform-specific targeting and stealthy operation pose significant new challenges for defenders, especially as it remains undetected by many traditional antivirus solutions.
Mar 21, 2026
Atomic macOS Stealer expands via Telegram MaaS and ClickFix social engineering
**Atomic macOS Stealer (AMOS)** has emerged as a leading macOS infostealer sold as a malware-as-a-service offering on Telegram and used in campaigns that rely heavily on social engineering rather than exploits. Researchers found the Golang-based malware distributed in forms including malicious DMG installers and ClickFix-style lures that trick users into running Terminal commands, after which it captures or validates the victim’s macOS password, steals **Keychain** contents, browser credentials, cookies, autofill data, files, Apple Notes, extension storage, session tokens, system information, and cryptocurrency wallet data, then exfiltrates the results to attacker-controlled infrastructure and, in earlier observed versions, Telegram. Operators have advertised AMOS for **$1,000 per month** alongside add-on services such as a victim panel, crypto tooling, and installer support. Sophos said AMOS accounted for nearly **40%** of its macOS protection updates in 2025 and almost half of recent macOS stealer cases seen by customers, underscoring its scale and persistence. In one investigated intrusion, a bootstrap script fetched from `sphereou[.]com` downloaded a second-stage payload, performed anti-analysis checks, registered with command-and-control, and established persistence through a **LaunchDaemon** after obtaining elevated access. Earlier reporting tied AMOS infrastructure to `amos-malware[.]ru`, with exfiltration observed to `/sendlog`, while newer variants increasingly use AI-themed lures, fake installers, cracked apps, repeated password prompts, and fake Ledger and Trezor modules to broaden credential theft and cryptocurrency targeting.
May 25, 2026
Infostealer Campaigns Expand to macOS and Cross-Platform Platform Abuse
Microsoft reported that infostealer operators have broadened beyond traditional Windows-focused activity to target **macOS** and mixed-platform environments through social engineering, malicious installers, and abuse of trusted services. Since late 2025, researchers observed campaigns delivering **DigitStealer**, **MacSync**, and **Atomic macOS Stealer (AMOS)** via fake software downloads, malicious `.dmg` files, and **ClickFix**-style prompts that trick users into running Terminal commands, leading to theft of browser credentials, cryptocurrency wallet data, Keychain contents, and developer secrets. The company also linked multiple cross-platform and Python-based operations to the trend, including **PXA Stealer**, attributed to Vietnamese-speaking threat actors targeting government and education organizations through phishing, persistence mechanisms, and Telegram-based exfiltration. Separate campaigns used **WhatsApp** to spread **Eternidade Stealer** with worm-like propagation and pushed a fake **Crystal PDF** installer through malvertising and SEO poisoning to capture browser sessions and credentials. Microsoft said the activity increasingly relies on fileless execution, native utilities, obfuscation, **LOLBINs**, and trusted platforms to evade detection, and published Defender XDR detections, hunting queries, indicators of compromise, and mitigation guidance.
May 25, 2026