notnullOSX macOS Malware

notnullOSX is a sophisticated information-stealing malware family written in the Go programming language. It is designed to target macOS users, with a strong focus on stealing cryptocurrency and other sensitive data. Threat actors commonly distribute it through deceptive ClickFix campaigns and trojanized DMG installation files. If detected on any device, it should be removed without delay.

How notnullOSX Operates After Infection

Once installed and granted Full Disk Access, notnullOSX can read a large portion of files stored on the system. It maintains communication with a remote command server and downloads separate malicious modules, each built for a specific task.

These temporary components can be used to steal passwords, copy files, gather credentials, and expand the malware's functionality. Because modules are fetched as needed, attackers can continuously adapt the infection after the initial compromise.

Browser and Personal Data Theft Capabilities

notnullOSX heavily targets data stored in major web browsers. Different modules are used to extract specific categories of information from Google Chrome, Mozilla Firefox, and Safari.

The malware is capable of stealing:

• Saved passwords, cookies, bookmarks, and browsing history
• Notes stored on the device, Telegram Desktop session data, and up to 500 messages per conversation, including attachments and formatting
• SSH keys, cloud credentials, API tokens, and configuration files saved in the user's home folder

This stolen information can provide criminals with access to accounts, servers, cloud environments, and development platforms.

Cryptocurrency Wallets Are a Primary Target

A major objective of notnullOSX is cryptocurrency theft. The malware searches for data linked to popular wallet software, including Atomic Wallet, Bitcoin Core, Electrum, Exodus, and Wasabi Wallet.

It also scans browser-based wallet extensions and copies stored information, including encrypted seed phrases. Even encrypted wallet data may later be exploited through password attacks or further social engineering.

App Replacement Feature Increases the Danger

Unlike many traditional stealers, notnullOSX can replace legitimate applications with malicious lookalikes. It may download a fake version of a trusted application, such as wallet software, substitute the original app, and preserve the same icon and appearance.

When launched, the counterfeit application appears normal while secretly harvesting sensitive information such as wallet recovery phrases. This feature can be remotely enabled or disabled and is typically used only when the targeted application already exists on the victim's system.

More Than a Stealer: RAT-Like Behavior

notnullOSX functions more like a Remote Access Trojan (RAT) than a standard infostealer. It keeps a persistent connection to its operators and checks in regularly for commands.

This enables attackers to:

• Send new instructions after infection
• Download and execute additional malicious modules
• Update capabilities or deploy extra payloads
• Maintain long-term control over compromised systems

Because of this flexibility, infections can evolve over time and become significantly more damaging.

How notnullOSX Is Distributed

The malware is primarily spread through social engineering attacks that manipulate users into installing it themselves. Victims may be shown fake problems, such as a 'protected Google Doc' warning or a damaged macOS application message. They are then instructed to fix the issue through specific steps, a tactic widely known as ClickFix.

Those steps often involve running commands in Terminal or opening malicious DMG files. notnullOSX has also been distributed through fake software websites, fraudulent download portals, hijacked YouTube channels, and bogus applications such as wallpaper tools like 'WallSpace.app.'

Some victims are even guided through manually enabling Full Disk Access, giving the malware broad visibility into the device.

Final Security Assessment

notnullOSX is a highly dangerous macOS threat capable of stealing browser data, cryptocurrency assets, private communications, authentication material, and developer credentials. Its modular design, persistent remote control, and application replacement features make it especially severe. Victims may face account compromise, identity theft, financial loss, and further malware deployment. Immediate removal and a full credential reset process are strongly recommended after detection.