Rectifyq📃Title: A new Mac stealer targeting $10K+ crypto wallets
📅Date: 2026-04-08
🔗References:
Description
A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- topic: crypto-related
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Spain”
- target-information=“Taiwan”
- country=“malaysia”
- mitre-attack-pattern=[‘T1056.001’, ‘T1539’, ‘T1036.005’, ‘T1204.002’, ‘T1566.002’, ‘T1119’, ‘T1005’, ‘T1140’, ‘T1555.003’, ‘T1552.004’, ‘T1087’, ‘T1083’, ‘T1552.001’, ‘T1041’, ‘T1059.004’, ‘T1562.001’, ‘T1573.002’, ‘T1543.001’, ‘T1071.001’, ‘T1564.001’]
MISP event uuid: c4af9327-6041-4a3b-99f2-33c7af75c9ad
Indicator of Compromise (IoCs)
type,value,comment
md5, c4c249ee87fbda08834e5883f8626db1, ''
md5, a1f06c2c83835259998f2d9d518ee2f6, ''
md5, ddf5c959ef9d990152d39c90b5efbfde, ''
md5, 85870d9889492e3df9fbec630bbb5fde, ''
md5, 48ac3d7ed39152844b8b3112563cfcf7, ''
domain, coockie.pro, ''
ip-dst, 83.217.209.88, ''
sha256, 4584d02b5193799453766857dba97021f966b9cbf6033d7dd3a33d61eb975a6c, 'No sample in VT\r\nLast check:20/04/2026'
sha256, 47373950e1d23c066de0ed2d511b4b7eea56ec22d7b501db265995fec51dbb44, 'No sample in VT\r\nLast check:20/04/2026'
sha256, 82cb3a22c90aee6cfc2f7e7f72e921e21226492c1d424d2b754b9cd763ab0b20, 'No sample in VT\r\nLast check:20/04/2026'
sha256, b73adc5dc04159241e4a89cbc82eaa381f406080f3aaaa1f27d145900dd54267, 'No sample in VT\r\nLast check:20/04/2026'
ip-dst, 111.90.149.111, ''
url, http://wallpapermacos.com/download/, ''
domain, wallpapermacos.com, ''
domain, wallspaceapp.com, ''
hostname, mactest-6b2ab-default-rtdb.firebaseio.com, ''
hostname, cdn.filestackcontent.com, ''
url, https://www.youtube.com/watch?v=nbH5KJGYBHk, ''
url, https://www.youtube.com/@wallspacemacos, ''
url, http://111.90.149.111:8080/installer, 'bash installer script location at Shinjiru IP'
Full IOCs available in Rectifyq’s MISP