Precision Targeting: Deconstructing the notnullOSX macOS Stealer Campaign
A sophisticated new cyber-threat has emerged in the macOS ecosystem, targeting high-net-worth individuals through a highly curated social engineering campaign.
The malware, dubbed notnullOSX, is a Go-based, modular stealer designed specifically to drain cryptocurrency holdings and harvest sensitive developer credentials. Unlike typical mass-distribution malware, this campaign operates with surgical precision, utilizing hijacked social media assets and deceptive “ClickFix” technical lures to bypass traditional user suspicion.
The threat actor behind this operation is believed to be the underground developer known as 0xFFF, who re-emerged in 2024 under the alias “alh1mik.” After a high-profile exit from the XSS cybercrime forum, the developer promised a premium macOS-specific tool; by early 2026, notnullOSX materialized as a highly obfuscated, backdoor-capable implant.
Telemetry from Moonlock Lab first identified active infection patterns on March 30, 2026, with geographic concentrations appearing in Vietnam, Taiwan, and Spain. The campaign is notably selective: operators utilize an affiliate panel to pre-screen victims, only deploying the payload against targets whose cryptocurrency wallets are verified to hold upwards of $10,000 USD. This manual vetting process transforms the campaign from a wide-net phishing attempt into a dedicated spear-phishing operation targeting the “whale” demographic.
Initial Access: Exploiting User Trust via “ClickFix”
The infection vector relies heavily on psychological manipulation, specifically targeting the perceived technical competence of macOS users. The attack chain typically initiates through one of two sophisticated paths:
1. The Google Doc “API Error” Loop: Victims encounter a fraudulent “protected” Google Document that simulates an encryption error or a “Google API Connector” failure. To “fix” the issue, the user is presented with two options, both ultimately leading to the same malicious payload. One path utilizes a ClickFix method: the user is prompted to copy and run a Base64-encoded Terminal command. When decoded, this command is a curl one-liner that fetches a remote bash installer. This script subsequently downloads a Mach-O binary, strips the macOS Gatekeeper quarantine attributes, wraps the payload in a disguised .app bundle, and establishes persistence via a LaunchAgent.

2. Malicious DMG Distribution: The second path involves a weaponized Disk Image (.dmg) masquerading as a legitimate utility. This image contains a heavily obfuscated Install.sh script. To lower the barrier of entry, the DMG includes a Terminal alias that launches the command line environment automatically, guiding the user through the execution process without requiring manual command entry.
Crucially, the attackers do not attempt to exploit the macOS Transparency, Consent, and Control (TCC) framework via software vulnerabilities. Instead, they use social engineering to convince users to manually grant Full Disk Access (FDA) in System Settings. Once granted, the malware gains an unrestricted window into Messages, Notes, Safari data, and local keychain items.
Weaponized Lures: Fake Apps and Hijacked YouTube Channels
To provide a sense of legitimacy, the attackers deploy a fake macOS live wallpaper application called “WallSpace.app.” These applications are hosted on professional-looking domains such as wallpapermacos[.]com. While the websites feature high-quality cinematic screenshots, they are flagged by automated security scanners and cloud-based reputation services as malicious.
To drive traffic to these sites, the threat actors have hijacked legitimate social media infrastructure. Researchers identified a YouTube channel, @wallspacemacos, which had been dormant since 2015. Suddenly, the channel published a video titled “WallSpace – Live Wallpaper for macOS,” which rapidly amassed 50,000 views. By leveraging an older, established account with historical metadata, the attackers bypass the suspicion that typically follows newly created accounts, using the channel’s perceived “age” to build implicit trust with potential victims.
Technical Payload Analysis: Modular Data Exfiltration
Once the notnullOSX implant achieves persistence, it operates as a multi-architecture Mach-O binary. It utilizes a modular architecture, downloading specialized sub-modules on demand from legitimate Content Delivery Networks (CDNs) like Filestack to evade detection. This modularity allows the malware to remain lightweight until specific high-value targets are identified.
The confirmed module library includes:
- CryptoWalletsGrab: Targets desktop wallets (Bitcoin Core, Electrum, Wasabi, Exodus) and browser-based extensions by exfiltrating raw data and
IndexedDBvaults. - CredsGrab: Scours the filesystem for SSH keys and cloud provider configuration files (AWS, Azure, GCP, Kubernetes, Terraform), enabling potential lateral movement within corporate environments.
- ReplaceApp: A highly specialized module designed to perform “binary replacement.” It attempts to swap legitimate hardware wallet management software (such as Ledger Live or Trezor) with trojanized versions to intercept seed phrases during user setup.
- Personal Data Modules: Includes specific modules for iMessage, Apple Notes, Safari Cookies, Telegram, and general browser history/credentials.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
mactest-6b2ab-default-rtdb[.]firebaseio.com |
Domain | Firebase RTDB Command & Control (C2) |
83.217.209[.]88 |
IP | Proxy / VPS Infrastructure |
111[.]90[.]149[.]111 |
IP | ClickFix Installer Server |
wallpapermacos[.]com |
Domain | Malicious WallSpace Lure Domain |
wallspaceapp[.]com |
Domain | Malicious WallSpace Lure Domain |
cdn.filestackcontent[.]com |
Domain | Abused CDN for Module Delivery |