New macOS Malware NotnullOSX Targets High-Value Crypto Wallets

Post Views: 134

macOS Malware “notnullOSX” Targets High-Value Cryptocurrency Wallets

Researchers at Moonlock Lab have uncovered a sophisticated macOS malware strain dubbed “notnullOSX,” designed to specifically target high-value cryptocurrency wallets containing assets exceeding $10,000.

Social Engineering Tactics Used by Malware Developers

Fake Google Docs notifications prompting users to update their Google API Connector
Terminal tricks to install malware

Malware Origins and Evolution

The malware’s origins date back to August 2024, when a developer known as “alh1mik” emerged on a hacking forum, promising to create a powerful tool for the macOS platform.

Following a brief hiatus, alh1mik returned to the scene in March 2026, delivering the modular notnullOSX program, which exhibits significant advancements over previous iterations.

Tactics Employed by Attackers

According to Moonlock Lab, the attackers utilize various tactics to deceive potential victims, including a fake Google Docs notification prompting users to update their Google API Connector. Users are then instructed to execute a command in their Terminal, which secretly installs the malware.

Once activated, the program requests Full Disk Access, effectively bypassing Apple’s security framework and enabling the malware to silently extract sensitive data, including iMessages, Apple Notes, and Safari credentials.

Persistent Presence and Remote Command Issuance

The malware also creates a malicious version of a legitimate application called WallSpace, which is promoted through a hijacked YouTube channel with a substantial following.

Upon installation, the malware maintains a persistent presence, allowing the attackers to remotely issue commands at any time.

Main Objective: Targeting High-Value Cryptocurrency Assets

The malware’s primary objective is to target high-value cryptocurrency assets, particularly those stored in hardware wallets such as Ledger Live and Trezor.

To achieve this, the malware employs a feature called ReplaceApp, which substitutes legitimate wallet apps with fake versions, enabling the attackers to intercept and steal secret seed phrases as the user enters them.

Future Expansion Anticipated by Researchers

According to Moonlock Lab, notnullOSX represents the culmination of two years of research and development focused on identifying the requirements of the macOS threat landscape.

Despite its current focus on high-value targets, researchers anticipate that this platform will likely expand in the future, compromising even hardware wallets managed by authentic-looking software.