Get free scan and check if your device is infected.
Remove it nowTo use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
What is notnullOSX?
notnullOSX is an information stealer written in the Go programming language. It targets macOS users and is used to steal cryptocurrency from victims. Threat actors distribute notnullOSX using a ClickFix technique and infected DMG files. If this malware gets detected on a device, it should be removed as soon as possible.
notnullOSX overview
Once a device is infected and notnullOSX has Full Disk Access, the malware can read most files on the system. It connects to a remote server to download separate components. Each component is stored temporarily and performs a specific task, like stealing passwords or files.
notnullOSX targets sensitive data stored in web browsers (different components target different information). Basically, it can steal saved passwords, cookies, bookmarks, and browsing history from Chrome, Firefox, and Safari. Furthermore, notnullOSX can steal cryptocurrency-related information.
It can gather data from desktop wallet apps like Atomic Wallet, Bitcoin Core, Electrum, Exodus, and Wasabi Wallet. It also looks for crypto wallet browser extensions and copies their stored data, including encrypted seed phrases. Also, notnullOSX targets messages. It can collect up to 500 messages per conversation (including attachments and formatted content).
Moreover, notnullOSX can read all notes saved on the device and steal login session information from the Telegram Desktop application. Additionally, the stealer can harvest details such as SSH keys, cloud account credentials, API tokens, and configuration files stored in the home folder. These can give attackers access to servers, cloud services, and developer tools.
Additional capabilities
In addition to stealing information, notnullOSX can swap real apps with fake ones. It can download a malicious version of a trusted app (like crypto wallet software), replace the original on the system, and keep the same icon. When the user opens it, it looks normal, but it pilfers sensitive data, such as wallet seed phrases. This feature can be turned on or off remotely and is used to target apps that are actually installed on the victim's device.
It is also important to mention that notnullOSX behaves more like a remote administration tool (RAT) than a typical stealer. It keeps a constant connection to its server and checks in regularly. This allows cybercriminals to stay connected and send new commands. The malware can also download and run new modules, allowing threat actors to control and update it after infection.
| Name | notnullOSX stealer |
| Threat Type | Stealer |
| Detection Names | AliCloud (Trojan[downloader]:MacOS/Wacatac.C9nj), Combo Cleaner (Trojan.MAC.Stealer.33), ESET-NOD32 (OSX/Agent.GJ Trojan), Kaspersky (Trojan-Downloader.OSX.Coins.m), Symantec (OSX.Trojan.Gen), Full List (VirusTotal) |
| Symptoms | Stealers are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Possible distribution methods | Social engineering, fake applications, bogus errors, infected DMG files, ClickFix |
| Damage | Stolen passwords and banking information, identity theft, monetary loss, possible additional infections. |
| Malware Removal (Windows) |
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo CleanerTo use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com. |
Conclusion
notnullOSX is malware that can access various data on the infected device and download extra tools. Victims of these attacks can experience problems like account hijacking and cryptocurrency and identity theft. It is also possible that notnullOSX may be capable of deploying additional payloads. Additional examples of malware targeting macOS are Ultimate, Miolab, and SHub.
How did notnullOSX infiltrate my device?
notnullOSX is mainly spread through social engineering tactics that trick users into installing it on their devices. Victims are shown fake issues, like a "protected Google Doc" error or a damaged macOS app, and are instructed to "fix" it using provided steps. This method is called ClickFix.
These steps usually involve copying and running a Terminal command or opening a DMG file, which installs the malware. The malware is also delivered via fake software sites (such as wallpaper apps like "WallSpace.app"), hijacked YouTube channels, or trusted-looking download pages.
Some victims are also guided step by step through enabling permissions such as Full Disk Access, which gives the malware broad access to the system.
How to avoid malware?
Download software from trusted sources, such as official websites or verified app stores, and avoid pirated programs, cracks, or unofficial activation tools, as they are often used to spread malware. Be careful with unexpected messages or emails, especially if they contain links or attachments.
Keep your operating system and all installed applications up to date, use reputable security software, and perform regular system scans. Avoid clicking on pop-ups, ads, or links on untrusted websites, and do not allow those sites to send browser notifications. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.
ClickFix-themed document spreading notnullOSX (source: @g0njxa):
Fake WallSpace.app download site distributing the malware (source: moonlock.com):
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
DOWNLOAD Combo CleanerBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
Quick menu:
Unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
DOWNLOAD remover for malware infections
Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
Frequently Asked Questions (FAQ)
My device is infected with notnullOSX malware, should I format my storage device to get rid of it?
This will fully remove notnullOSX, but it will also erase everything stored on the device. Before taking such a drastic step, it is generally recommended to try a reliable anti-malware tool like Combo Cleaner first.
What are the biggest issues that malware can cause?
Malware can perform a range of harmful actions, such as stealing sensitive data, locking files through encryption, or installing additional malicious programs. This can result in serious consequences, including financial damage, identity theft, unauthorized access to accounts or devices, and irreversible loss of data.
What is the purpose of notnullOSX?
The purpose of notnullOSX is to steal sensitive data from infected macOS devices, including passwords, messages, cryptocurrency wallets, and developer credentials.
How did notnullOSX infiltrate my computer?
notnullOSX typically gets on a Mac through social engineering. The user is tricked into running a fake installer, Terminal command, or opening a malicious app (often disguised as a normal tool like a wallpaper app or "fix" for a problem). Its distribution includes using ClickFix.
Will Combo Cleaner protect me from malware?
Yes, Combo Cleaner can find and remove a wide range of threats. However, some more advanced malware may be harder to detect because it can hide within the system. That is why performing a full system scan is strongly recommended.
Share:
Facebook
X.com
LinkedIn
Copy Link
Tomas Meskauskas
Expert security researcher, professional malware analyst
I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion