The Latest
New macOS Malware notnullOSX Targets Crypto Wallets Over $10K

New macOS Malware notnullOSX Targets Crypto Wallets Over $10K

macOS Malware notnullOSX targets crypto wallets over $10K, using fake apps, Terminal tricks, and backdoors to steal funds and sensitive data.
byDeeba Ahmed
April 9, 2026
2 minute read

Cybersecurity researchers at Moonlock Lab have identified a new macOS malware strain, notnullOSX, engineered to drain cryptocurrency wallets. In particular, it uses a submission form to assess a victim’s financial holdings, targeting only those with balances exceeding 10,000 USD. The malware was first detected on 30 March 2026, with confirmed activity in Vietnam, Taiwan, and Spain.

The Return of a Notorious Developer

The story behind the malware began with a developer known as 0xFFF, who left a hacking forum in 2023 after a public argument. By August 2024, he returned using the name alh1mik and promised to build a powerful new tool for the macOS platform. By early 2026, he delivered this modular program, which is far more advanced than his earlier work.

Deceptive Tactics and Fake Applications

Moonlock Lab’s investigation reveals that the hackers rely on social engineering to trick people into infecting their own computers. One common method they use is a fake protected Google Document that shows an encryption error, such as claiming a Google API Connector is out of date.

The fake notice (Image: Moonlock)

Additionally, users are told to copy a specific command into their Mac’s Terminal, which is the ClickFix trap, to fix it. As we know it, many developers and crypto users use the Terminal daily, making them more likely to paste the code without realizing it installs malware.

Once the command runs, the program asks for Full Disk Access. Researchers noted that granting this permission basically bypasses Apple’s security framework, allowing the malware to silently read iMessages, Apple Notes, and Safari credentials.

The hackers also created a malicious version of a real app called WallSpace. They promoted it through a hijacked YouTube channel that had been active for ten years, gaining 50,000 views in just two weeks. Once installed, the malware keeps a backdoor open so hackers can send new instructions at any time.

The malicious app (Image: Moonlock)

Targeting High-Value Crypto Assets

The most concerning part is how notnullOSX handles hardware wallets. Further probing revealed a feature called ReplaceApp, which swaps legitimate apps like Ledger Live or Trezor with fake versions. This allows hackers to steal secret seed phrases as the user types them. The malware also targets desktop wallets like Bitcoin Core, Exodus, and MetaMask.

In their final analysis, the team at Moonlock Lab stated that this new version is “the product of someone who spent 2 years paying attention to what the macOS threat landscape required.” This shows that even hardware wallets are not safe if the software managing them is fake. While this threat currently focuses on high-value targets, researchers believe this platform will likely expand in the future.

Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage.
View Posts
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action

Austin, Texas, United States, 9th April 2026, CyberNewswire
byCyberNewswire
April 9, 2026
2 minute read

Austin, Texas, United States, April 9th, 2026, CyberNewswire

Built by a veteran security team and led by a former Google and Mandiant executive, Mallory delivers intelligence that drives action for enterprise security teams.

Mallory is launching a AI-native threat intelligence platform, purpose-built to answer the questions CISOs and their teams are asking every day:

  • What are the real threat vectors for our organization?
  • What’s actually exploitable in our environment right now?
  • What should we proactively fix?

The platform monitors thousands of threat sources, contextualizes them against a user’s actual attack surface, and puts that intelligence to work across hunt, detection, and exposure management use cases. One platform. Answers, not alerts.

Modern teams receive more signals than ever and have structured their SOC around dealing with the deluge. But they’re still chasing alerts and struggling to get proactive, let alone work with business partners to close gaps before they’re exploited.

Mallory connects into the user’s existing tools and controls. When a new vulnerability or exposure surfaces, it doesn’t just flag it — it tracks who is exploiting it, where, and how, then determines whether the organization is actually at risk and what to do about it.

“Attackers are AI-enabled now, moving faster and with more capability. Defenders need to be too. Security teams don’t need more alerts. They need answers: what can attackers do, are our controls stopping them, and what’s exploitable right now,” says Mallory founder and CEO Jonathan Cran.

The result isn’t another feed or dashboard. It’s a prioritized set of evidence-based cases grounded in real threat intel, mapped to the user’s environment and ready for action.

“When a new alert makes the news, I need to know within minutes if we are impacted. Mallory delivers the context needed to investigate at AI speed,” says John Sapp, CISO of Texas Mutual Insurance.

Flexibility to build is critical in today’s cybersecurity ecosystem. Mallory is built by veteran security practitioners for security teams, with native support for Claude Code, MCP, API, and its own modern UI. Teams can integrate, automate, and extend on their terms.

Mallory also announced a seed investment led by Decibel Partners, with participation from Live Oak Venture Partners and a cadre of industry leaders from organizations including Google, Robinhood, Cisco, Fastly, and GreyNoise.

“Threat intelligence was built for an era where we would be able to process information at human speed. With the introduction of agents on the adversarial side, we no longer have data intel problem but rather a context and reasoning problem. Jonathan and the Mallory team are changing that by connecting real-time threat activity to an organization’s environment and processing it for relevance at agentic speed. ” says Dan Nguyen-Huu, partner at Decibel.

Mallory is available immediately as a SaaS platform with integrations across existing security tools. Users can start a 30-day free trial at mallory.ai/platform.

About Mallory

Mallory is the AI-native threat intelligence platform for cyber defenders. It monitors global adversary activity, contextualizes threats against assets and controls, and delivers prioritized, evidence-based answers. Teams focus on what’s real and act faster. Users can learn more at mallory.ai.

Contact

Marketing
Chris Tilton
Mallory
press@mallory.ai

Leave a Reply

Your email address will not be published. Required fields are marked *