A new Mac stealer targeting $10K+ crypto wallets

216.73.216.36

A new Mac stealer targeting $10K+ crypto wallets

· Published 15/04/2026 16:59 · Modified 15/04/2026 15:58

Essential information

Published: 15/04/2026 16:59
Modified: 15/04/2026 15:58
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: atomic macos stealer clickfix cryptocurrency theft macos stealer notnullosx poseidon stealer
Tags: 2026-04-15 atomic macos stealer clickfix cryptocurrency theft macos stealer notnullosx poseidon stealer
Related entities: 15 indicators, 15 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware, 7 others

Description

A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities.