If you use a Mac computer and hold cryptocurrency, there is a new threat to watch out for. A malicious software called notnullOSX is targeting Apple systems. It specifically goes after users with crypto wallets holding more than ten thousand dollars. The hackers are highly selective, handpicking targets before launching their attacks.
The operation relies on tricking you into handing over complete system control without triggering alarms.
Fake error screens trick you into pasting malicious terminal commands
The attack starts with a fake protected Google document. The page shows a fake encryption error and pushes you to fix it. The first method uses a trick called ClickFix. The fake page tells you to open your computer terminal and paste a specific command. If you do this, a hidden script downloads the malware in the background.
The second method uses a normal-looking disk image file. Hackers even set up a fake website for a wallpaper app to trick people into downloading the file.
The software manipulates you into granting full disk access manually
Apple designed its security framework to stop random apps from reading your private files. However, notnullOSX uses a clever trick. The software walks you through the steps to manually grant it full disk access in your system settings. Once you give it that permission, the malware can read your messages, notes, and browser cookies without asking again.
The hackers built it to download extra tools from a remote server. One tool replaces legitimate wallet software with a fake version designed to steal your passwords.
A permanent remote backdoor built by a hacker forum user
Unlike basic stealers that grab your data and delete themselves, this one stays active. It keeps an open connection to a remote server, waiting for new commands. The malware behaves more like a long-term backdoor into your computer. Researchers track the creator back to a forum user who started building the software in early 2024.
To stay safe, never paste unknown commands into your terminal. You must also remain highly cautious if any new application asks for full disk access during setup.
