
Moonlock Lab uncovers notnullOSX, a macOS crypto stealer targeting users by swapping wallet apps and stealing seed phrases via clones.
Author: Akshat Thakur
Steady attention without excessive speculation.
17th July 2026- Security researchers at Moonlock Lab have flagged notnullOSX, a Go-based macOS stealer built to drain crypto from high-value Mac users.
High Signal Summary For A Quick Glance
The campaign is not random. According to Moonlock, the operators hand-pick targets who hold more than $10,000 in crypto. Then they trick victims into installing the malware by hand.
The attack starts with social engineering, not a software exploit. First, the victim meets one of two lures. Both lead to the same payload.
One path is ClickFix. Here the victim sees a fake error and pastes a base64 command into Terminal. The other path is a malicious DMG that poses as a wallpaper app called WallSpace, promoted through a hijacked YouTube channel.
After the victim runs either lure, a bash installer fetches the main binary. That file is a multi-architecture Mach-O, obfuscated with garble, and weighs about 27 MB. Moonlock first spotted the campaign in the wild on March 30, 2026, with early hits in Vietnam, Taiwan, and Spain.
Next comes the critical step. The malware convinces the user to grant Full Disk Access. As a result, it bypasses Apple’s TCC privacy controls and reaches protected files. You can read the full technical breakdown in the Moonlock Lab report.
The standout lure is a fake protected Google document. When the victim opens it, the page shows an encryption error. It blames the problem on an outdated “Google API Connector.”
Then the document offers a fix. In reality, that fix runs the installer. The lure was first reported by researcher @g0njxa on X, according to Moonlock.
This approach works because it turns the user into the attacker’s tool. Instead of breaking macOS defenses, the operators simply ask the victim to switch them off. So the infection looks like routine troubleshooting.
Once installed, notnullOSX pulls modular components on demand. Each module runs from the /tmp folder and handles one job. The operators load only what they need for each target.
The lineup is broad. For example, CredsGrab collects saved passwords, while BrowserGrab targets browser data. CryptoWalletsGrab hunts wallet files, and Moonlock notes more than 30 wallet extension IDs on the target list.
Other modules reach further. AppleNotesGrab extracts and decompresses the Apple Notes database. TelegramGrab copies the entire tdata session folder. Because that folder holds a live session token, attackers can restore the account elsewhere and skip both the password and two-factor checks.
Finally, the malware sends everything out. It uses a persistent, WebSocket-style channel to a Firebase Realtime Database that serves as the command server. A LaunchAgent keeps the infection alive across reboots. In short, the notnullOSX malware behaves like a remote control toolkit rather than a single smash-and-grab.
The most dangerous module is ReplaceApp. On command, it swaps a real wallet app for a trojanized clone while keeping the original icon. So the fake Ledger Live or Trezor Suite looks identical on the dock.
The trap springs at the next launch. When the user opens the swapped app and enters a seed phrase during setup or recovery, the clone captures it. After that, the attacker controls the funds.
This matters even for hardware wallet owners. Cold storage protects keys at rest, yet it does not protect the moment a user types a seed phrase into a companion app. The notnullOSX malware targets exactly that weak point. That is also why the operators focus on wallets worth more than $10,000, since the payoff justifies the manual effort.
Moonlock ties the tool to a developer who uses the alias alh1mik. That handle reportedly links back to 0xFFF, an actor banned from the XSS forum around 2022 to 2023.
According to the report, the developer resurfaced as alh1mik in August 2024 and pitched a new macOS stealer. That project appears to have become notnullOSX in early 2026. Still, attribution beyond the alias remains unclear.
The threat fits a wider trend. Since 2022, families like Atomic Stealer have pushed macOS crypto theft forward. More recently, researchers flagged MacSync Stealer, SHub, and PamStealer, so the notnullOSX malware joins a crowded and active field.
Key milestones in macOS Infostealer Threat Evolution
One of the first major native macOS infostealers gains rapid threat actor adoption, harvesting browser credentials, Keychain data, and crypto wallet files from Mac users.
Specialized variants explicitly targeting Mac-based crypto users emerge, with improved social-engineering lures and focused theft of wallet files and seed phrases.
Moonlock Lab details a modular Go-based stealer using a fake “Google API Connector” Doc lure, capable of Telegram session theft, Apple Notes harvesting, and wallet app swapping via ReplaceApp.
SlowMist issues a TI Alert on MacSync Stealer, highlighting fake AppleScript password prompts and theft of crypto wallets, browser data, and Keychain from macOS users.
SentinelOne reports a variant impersonating Apple, Google, and Microsoft, adding persistence and backdoor capabilities on top of credential and wallet theft.
Jamf Threat Labs discloses a stealthy Rust-based macOS infostealer using PAM for local password validation and targeting clipboard managers as an initial infection vector.
SlowMist details the ongoing campaign targeting 15+ wallets (Electrum, Ledger Live, Trezor Suite), 223 browser extensions, Apple Keychain, Notes, and Telegram sessions enabling 2FA bypass.
Full attribution efforts, public IOC list release, and expanded coverage expected as more samples and victim reports continue to surface.
The core defense is simple. Never paste a Terminal command you do not understand, and never grant Full Disk Access to fix a strange error.
Beyond that, treat seed phrase prompts with suspicion. If a wallet app suddenly asks you to re-enter your recovery phrase, stop and verify the app first. Because the clone keeps the real icon, the request itself is the clearest warning sign.
The campaign remains active as of mid-2026, so Mac users with meaningful crypto should stay alert. As always, this is not financial advice, but the safest move is to slow down before you click, paste, or approve.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Volodymyr Pavlenko
@mindinpanic
@Cointelegraph Hijacking telegram sessions as gateway to wallets collapses two threat models people treat separately
🚨 ALERT: SlowMist warns new macOS malware can hijack Telegram sessions and target crypto wallets. https://t.co/vmpGqhtQxh
10:18 AM·Jul 17, 2026
Bella Chen
@BellaChen589448
@Cointelegraph This calls for adequate security for the wallet
🚨 ALERT: SlowMist warns new macOS malware can hijack Telegram sessions and target crypto wallets. https://t.co/vmpGqhtQxh
10:11 AM·Jul 17, 2026
Macro Bombastic
@MacroBombastic
@Cointelegraph Bro, just another reason to ditch Mac and use a cold wallet. Stay safe out there.
🚨 ALERT: SlowMist warns new macOS malware can hijack Telegram sessions and target crypto wallets. https://t.co/vmpGqhtQxh
09:55 AM·Jul 17, 2026
notnullOSX Malware Targets Mac Users With Crypto Wallets
Ostium Vault Exploit Drains $18M in USDC on Arbitrum
EMURGO Confirms SecondFi Hack Leading Cardano Asset-Recovery Push
Robinhood Chain Scam Tokens Vanish From Buyer Wallets
notnullOSX Malware Targets Mac Users With Crypto Wallets
Ostium Vault Exploit Drains $18M in USDC on Arbitrum
EMURGO Confirms SecondFi Hack Leading Cardano Asset-Recovery Push
Robinhood Chain Scam Tokens Vanish From Buyer Wallets