Hackers Abuse Fake Wallpaper App and YouTube Channel to Spread notnullOSX Malware

A new macOS malware called notnullOSX has surfaced in early 2026, specifically built to steal cryptocurrency from Mac users who hold digital assets worth more than $10,000.

The threat is real, active, and carefully constructed to look completely legitimate at every step of its infection process.

The story behind this malware goes back to 2023, when a developer known online as 0xFFF abruptly left a well-known underground hacking forum after being tricked into believing Russian and Ukrainian security services were investigating him.

In August 2024, he returned under a new alias, alh1mik, with an apology and a concrete offer: reinstatement in exchange for a brand-new macOS stealer.

By early 2026, that promise became notnullOSX, a sophisticated Go-written stealer delivered through social engineering, a fake wallpaper application, and a hijacked YouTube channel.

The malware was built with one goal in mind: draining cryptocurrency holdings above the $10,000 mark from macOS users.

Moonlock Lab researchers identified and recorded the first detections of notnullOSX on March 30, 2026, across three regions: Vietnam, Taiwan, and Spain.

Their telemetry analysis revealed a multi-layered distribution operation that combined fake Google documents, a polished fake wallpaper website, and a stolen YouTube account to reach unsuspecting Mac users.

The targeting is not random. Before a victim is approached, operators manually fill out a submission form identifying the target’s wallet address, social media profiles, and wallet balance.

The panel documentation explicitly states the minimum threshold is $10,000, and submissions below that amount are simply not processed.

The attack starts when a victim receives a fake “protected” Google document. Opening it shows a convincing but fraudulent interface with an encryption error, falsely attributed to an outdated “Google API Connector.”

Two options appear to fix the problem. Both deliver the same malware. One path, called ClickFix, presents a Terminal command that, when pasted and run, silently downloads and installs the malware.

The second path uses a fake disk image file called WallSpace.app, disguised as a legitimate macOS live wallpaper application.

Traffic to the malicious site was driven by a hijacked YouTube channel registered back in 2015 that had accumulated 50,000 views within two weeks of posting a single video.

A decade-old account with minimal subscribers suddenly racking up tens of thousands of views on a single video is a strong signal that the account was compromised and used to push the malware to unsuspecting viewers.

Once installed, notnullOSX operates silently and persistently, extracting data from iMessages, Apple Notes, Safari cookies, browser passwords, Telegram sessions, and a wide range of cryptocurrency wallets including Bitcoin Core, Exodus, and Electrum.

Perhaps most concerning is a module called ReplaceApp, which silently swaps legitimate hardware wallet applications like Ledger Live with malicious clones designed to intercept seed phrases during wallet setup, something many users would never detect.

The implant also maintains a live connection back to the attacker’s server, meaning operators can send fresh instructions to infected machines long after the initial compromise.

How the Infection Chain Works

The ClickFix infection path relies heavily on the trust that developers and crypto users place in their own Terminal application. The base64-encoded command shown to the victim decodes into a curl command that fetches a bash installer script from a remote server.

That script downloads a Mach-O binary, makes it executable, removes Apple’s Gatekeeper quarantine flag, and sets up a LaunchAgent to run automatically on startup.

The victim is then guided through enabling Full Disk Access in System Settings, which is the most critical step in the whole chain.

Granting Full Disk Access bypasses macOS’s TCC (Transparency, Consent, and Control) framework entirely.

This framework normally requires individual permission prompts before any app can read sensitive data such as Messages, Notes, Safari cookies, and Contacts.

Once the victim grants Full Disk Access, the malware quietly sidesteps every one of those individual prompts simultaneously, reading every protected folder without triggering a single pop-up.

The victim willingly hands over the keys because they believe it is a normal installation requirement.

The DMG path through the fake WallSpace app is equally deceptive but slightly simpler from the victim’s perspective. Mounting the disk image reveals three files: an installer script, a README file, and a Terminal shortcut.

The README walks the victim through the steps while the shortcut opens Terminal automatically from the mounted volume. The installer script, despite being nearly 299 KB, presents itself as a block of plain text.

When decoded, the same malware implant used in the ClickFix chain emerges.

Moonlock Lab’s analysis confirmed that the malware binary is a 27.74 MB multi-architecture Mach-O file built for both Apple Silicon and Intel Macs.

At the time of discovery, only 10 out of 64 vendors on VirusTotal flagged it, meaning the vast majority of standard detection tools would have missed it entirely.

Users and security teams should take the following steps to protect against notnullOSX and similar threats:

• Never paste Terminal commands sourced from a browser, a document, or a YouTube video description.
• Treat any application that requests Full Disk Access during installation as suspicious and verify the developer before granting it.
• Regularly audit the folder ~/Library/LaunchAgents/ for unfamiliar or unexpected files.
• Security teams should block and monitor outbound connections to mactest-6b2ab-default-rtdb[.]firebaseio.com and flag Mach-O binaries downloaded from cdn.filestackcontent[.]com.
• Alert on any process calling xattr -rd com.apple.quarantine from a browser or document context.
• Check the /tmp directory regularly for short-lived Mach-O files, especially those with names matching patterns like SystemInfoGrab, CryptoWalletsGrab, or ReplaceApp.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.