New notnullOSX Malware Targets High-Value Crypto Wallets on macOS

Severity: High (Score: 66.5)

Sources: hackread.com, Scworld, Gbhackers

Summary

The notnullOSX malware has emerged as a significant threat targeting cryptocurrency wallets with balances exceeding $10,000 in Taiwan, Vietnam, and Spain. This campaign, identified as ClickFix, was reported on March 30, 2026, and involves deceptive tactics using a fake Google Document and a compromised YouTube channel to distribute the malware. Users are tricked into executing commands in the macOS Terminal that download notnullOSX, which requires total disk access. The malware's most alarming feature is its ReplaceApp module, which substitutes legitimate Trezor or Ledger Live wallets with counterfeit versions to steal secret seed phrases in real-time. The malware's developer, known as 0xFFF or alh1mik, rejoined a hacking forum earlier this year after a three-year hiatus. The ongoing attacks raise concerns about the security of cryptocurrency assets among macOS users. Key Points: • notnullOSX targets high-value cryptocurrency wallets on macOS systems. • Attackers use deceptive Google Documents and compromised YouTube channels for distribution. • The malware can replace legitimate hardware wallet software with counterfeit versions.

Key Entities

• Malware (attack_type)
• ClickFix (malware)
• NotnullOSX (malware)
• Spain (country)
• Taiwan (country)
• Vietnam (country)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• Google Document (platform)
• MacOS (platform)
• YouTube (company)
• WallSpace (tool)