A new Mac stealer targeting $10K+ crypto wallets
notnullOSX is a modular macOS stealer malware discovered in March 2026 that targets users with cryptocurrency holdings over $10,000. Developed by the threat actor alh1mik, it spreads via social engineering campaigns using malicious DMG files disguised as legitimate apps. The malware exfiltrates sensitive data including iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. It bypasses macOS privacy protections by tricking victims into granting Full Disk Access without triggering permission dialogs. notnullOSX maintains persistent WebSocket connections to Firebase infrastructure, enabling remote updates and backdoor functionality. No official patch or remediation guidance is currently available. The threat is rated medium severity based on its targeted data theft capabilities and stealth techniques.
AI Analysis
Technical Summary
notnullOSX is a Go-based modular stealer targeting macOS users with significant cryptocurrency assets. It is distributed through ClickFix social engineering and malicious DMG files masquerading as legitimate applications such as WallSpace. The malware's modular design allows it to steal a wide range of sensitive information including messaging history, notes, browser credentials, cookies, crypto wallets, SSH keys, and cloud credentials. It achieves stealth by social-engineering victims to grant Full Disk Access, circumventing macOS TCC protections without user permission prompts. The malware maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and a backdoor with remote module update capabilities. There is no known exploit in the wild beyond this campaign, and no vendor advisory or patch is currently available.
Potential Impact
The malware compromises confidentiality by exfiltrating highly sensitive user data, including cryptocurrency wallet files and credentials, potentially leading to theft of digital assets exceeding $10,000. It also exposes personal communications and cloud credentials, increasing risk of further compromise. The ability to maintain persistent backdoor access and update modules remotely increases the threat's persistence and adaptability. The malware bypasses macOS security protections through social engineering, making detection and prevention more challenging.
Mitigation Recommendations
No official patch or remediation guidance is currently available for notnullOSX. Mitigation should focus on user education to avoid social engineering attacks, particularly suspicious DMG files and applications masquerading as legitimate software. Restricting Full Disk Access permissions to trusted applications only and monitoring for unusual network connections to Firebase infrastructure may help detect infection. Security teams should use the provided indicators of compromise (hashes, domains, IPs) to identify and block related activity. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- domain: coockie.pro
- ip: 83.217.209.88
- hash: 070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913
- hash: 4584d02b5193799453766857dba97021f966b9cbf6033d7dd3a33d61eb975a6c
- hash: 47373950e1d23c066de0ed2d511b4b7eea56ec22d7b501db265995fec51dbb44
- hash: 636fa90aebab98534dcdbe50508ed8d3607c284c72f831a4503e223540d3f761
- hash: 82cb3a22c90aee6cfc2f7e7f72e921e21226492c1d424d2b754b9cd763ab0b20
- hash: 8d029b65c1076141d4817f25428cef44888b2fb4349ab9b9df7a413d240e1177
- hash: b0cd860f18b0136e063d7ef9a3c84d138a1a21dbea019605ce66a3a1fad91db4
- hash: b73adc5dc04159241e4a89cbc82eaa381f406080f3aaaa1f27d145900dd54267
- hash: ff7f0c39aa90ed8f4ce24658a347e7871bb5f6a607eaedf2cf2859a1fb5782a9
- ip: 111.90.149.111
- url: http://wallpapermacos.com/download/
- domain: wallpapermacos.com
- domain: wallspaceapp.com
A new Mac stealer targeting $10K+ crypto wallets
Description
notnullOSX is a modular macOS stealer malware discovered in March 2026 that targets users with cryptocurrency holdings over $10,000. Developed by the threat actor alh1mik, it spreads via social engineering campaigns using malicious DMG files disguised as legitimate apps. The malware exfiltrates sensitive data including iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. It bypasses macOS privacy protections by tricking victims into granting Full Disk Access without triggering permission dialogs. notnullOSX maintains persistent WebSocket connections to Firebase infrastructure, enabling remote updates and backdoor functionality. No official patch or remediation guidance is currently available. The threat is rated medium severity based on its targeted data theft capabilities and stealth techniques.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
notnullOSX is a Go-based modular stealer targeting macOS users with significant cryptocurrency assets. It is distributed through ClickFix social engineering and malicious DMG files masquerading as legitimate applications such as WallSpace. The malware's modular design allows it to steal a wide range of sensitive information including messaging history, notes, browser credentials, cookies, crypto wallets, SSH keys, and cloud credentials. It achieves stealth by social-engineering victims to grant Full Disk Access, circumventing macOS TCC protections without user permission prompts. The malware maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and a backdoor with remote module update capabilities. There is no known exploit in the wild beyond this campaign, and no vendor advisory or patch is currently available.
Potential Impact
The malware compromises confidentiality by exfiltrating highly sensitive user data, including cryptocurrency wallet files and credentials, potentially leading to theft of digital assets exceeding $10,000. It also exposes personal communications and cloud credentials, increasing risk of further compromise. The ability to maintain persistent backdoor access and update modules remotely increases the threat's persistence and adaptability. The malware bypasses macOS security protections through social engineering, making detection and prevention more challenging.
Mitigation Recommendations
No official patch or remediation guidance is currently available for notnullOSX. Mitigation should focus on user education to avoid social engineering attacks, particularly suspicious DMG files and applications masquerading as legitimate software. Restricting Full Disk Access permissions to trusted applications only and monitoring for unusual network connections to Firebase infrastructure may help detect infection. Security teams should use the provided indicators of compromise (hashes, domains, IPs) to identify and block related activity. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://moonlock.com/notorious-hacker-returns-notnullosx-stealer"]
- Adversary
- alh1mik
- Pulse Id
- 69dfa7d6ed3496f811a87d22
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincoockie.pro | — | |
domainwallpapermacos.com | — | |
domainwallspaceapp.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip83.217.209.88 | — | |
ip111.90.149.111 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913 | — | |
hash4584d02b5193799453766857dba97021f966b9cbf6033d7dd3a33d61eb975a6c | — | |
hash47373950e1d23c066de0ed2d511b4b7eea56ec22d7b501db265995fec51dbb44 | — | |
hash636fa90aebab98534dcdbe50508ed8d3607c284c72f831a4503e223540d3f761 | — | |
hash82cb3a22c90aee6cfc2f7e7f72e921e21226492c1d424d2b754b9cd763ab0b20 | — | |
hash8d029b65c1076141d4817f25428cef44888b2fb4349ab9b9df7a413d240e1177 | — | |
hashb0cd860f18b0136e063d7ef9a3c84d138a1a21dbea019605ce66a3a1fad91db4 | — | |
hashb73adc5dc04159241e4a89cbc82eaa381f406080f3aaaa1f27d145900dd54267 | — | |
hashff7f0c39aa90ed8f4ce24658a347e7871bb5f6a607eaedf2cf2859a1fb5782a9 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://wallpapermacos.com/download/ | — |
Threat ID: 69dfb2ea82d89c981f6662d8
Added to database: 4/15/2026, 3:46:50 PM
Last enriched: 4/15/2026, 4:01:55 PM
Last updated: 4/16/2026, 6:17:20 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.