Key Notes
- A new malware named “ModStealer” targets crypto wallets across multiple operating systems.
- It spreads via fake recruiter ads and has remained undetected by major antivirus engines.
- The malware can steal private keys from 56 different browser wallet extensions.
A new cross-platform malware named “ModStealer” actively targets crypto wallets while remaining undetected by major antivirus software.
The malware is reportedly built to steal sensitive data from users on macOS, Windows, and Linux systems. It has been active for nearly a month before its discovery.
On Sept. 11, first detailed by 9to5Mac , an Apple product-focused publication, in a conversation with the Apple device management firm Mosyle, ModStealer spreads through fake job recruiter ads aimed at developers.
This method is a form of deception similar to sophisticated social engineering scams that have recently resulted in massive crypto user losses.
Beyond crypto wallets, the malware also targets credential files, configuration details, and certificates. It uses a heavily obfuscated JavaScript file written with NodeJS to avoid detection by traditional signature-based security tools.
How ModStealer Operates
The malware establishes persistence on macOS by abusing Apple’s launchctl tool, allowing it to run silently in the background as a LaunchAgent. Data is then sent to a remote server located in Finland but tied to infrastructure in Germany, a method likely used to hide the operator’s actual location.
Mosyle’s analysis found that it targets explicitly 56 different browser wallet extensions, including those on Safari, to extract private keys, highlighting the importance of using secure decentralized crypto wallets .
The malware can also capture clipboard data, take screenshots, and execute remote code, giving attackers near-total control over an infected device.
This discovery follows other recent security breaches in the crypto ecosystem. Earlier this week, a widespread NPM supply chain attack attempted to compromise developers using spoofed emails to steal credentials.
That attack aimed to hijack transactions across multiple chains, including Ethereum ETH $4 690 24h volatility: 3.3% Market cap: $566.28 B Vol. 24h: $36.36 B and Solana SOL $240.5 24h volatility: 0.6% Market cap: $130.48 B Vol. 24h: $8.99 B , by swapping crypto addresses.
However, it was largely contained, with attackers stealing only about $1,000, a minor sum compared to other major crypto heists where hackers have successfully laundered and reinvested millions in stolen assets.
Researchers at Mosyle believe ModStealer fits the profile of a “Malware-as-a-Service” (MaaS) operation. This model, increasingly popular with cybercriminals, involves selling ready-made malware to affiliates who may have minimal technical skills.
Mosyle stated the threat is a reminder that signature-based protections alone are not enough and that behaviour-based defences are necessary to stay ahead of new attack vectors.
