MacPaw’s Moonlock Lab has investigated the origins, functionality, and distribution of notnullOSX, a new Go-based modular stealer with full backdoor capabilities.
The Lab’s telemetry recorded the first detections of notnullOSX on March 30, 2026. Delivered via ClickFix and malicious DMG files, notnullOSX is built exclusively to drain crypto holdings above $10,000 from macOS users. It exfiltrates iMessage history, Apple Notes, crypto wallet files, browser credentials, and Safari cookies, with a live WebSocket channel back to C2.
The investigation uncovered the developer behind the threat: a hacker formerly known as 0xFFF, who developed another macOS-native stealer before being banned by the community in 2022. In 2026, 0xFFF is back under a new alias with a tool whose functionality far exceeds standard stealer capabilities.
The campaign is currently active and ongoing, targeting users via WallSpace.app — a malicious file masquerading as the legitimate WallSpace wallpaper application, which has a real web presence and a recognizable install flow.
