A new cross-platform malware, dubbed “ModStealer,” has emerged as a significant threat to cryptocurrency wallets, targeting users across macOS, Windows, and Linux systems. Despite its active presence for nearly a month, it has managed to evade detection by major antivirus software, raising concerns among cybersecurity experts.
First reported on September 11 by 9to5Mac, a publication focused on Apple products, ModStealer spreads through deceptive job recruitment ads aimed at developers. This tactic mirrors sophisticated social engineering scams that have previously led to substantial losses for crypto users. In addition to targeting crypto wallets, ModStealer seeks out credential files, configuration details, and certificates, employing a heavily obfuscated JavaScript file written in NodeJS to bypass traditional signature-based security measures.
How ModStealer Operates
The malware establishes persistence on macOS systems by exploiting Apple’s launchctl tool, enabling it to operate silently in the background as a LaunchAgent. Once installed, it sends stolen data to a remote server located in Finland, which is linked to infrastructure in Germany, a strategy likely designed to obscure the operator’s actual location.
According to an analysis by Mosyle, ModStealer specifically targets 56 different browser wallet extensions, including those on Safari, to extract private keys. This underscores the critical need for users to adopt secure decentralized crypto wallets. Furthermore, the malware has the capability to capture clipboard data, take screenshots, and execute remote code, granting attackers near-total control over an infected device.
This discovery follows a series of recent security breaches within the cryptocurrency ecosystem. Earlier this week, a widespread NPM supply chain attack attempted to compromise developers through spoofed emails aimed at stealing credentials. This attack sought to hijack transactions across multiple chains, including Ethereum and Solana, by swapping crypto addresses. Fortunately, it was largely contained, with attackers managing to steal only about ,000—a relatively minor sum compared to other significant crypto heists where millions in assets have been laundered and reinvested.
Researchers at Mosyle suggest that ModStealer exemplifies a “Malware-as-a-Service” (MaaS) operation, a model that is gaining traction among cybercriminals. This approach involves selling ready-made malware to affiliates who may possess minimal technical expertise. Mosyle emphasizes that this threat serves as a reminder that relying solely on signature-based protections is insufficient; instead, implementing behavior-based defenses is essential to stay ahead of emerging attack vectors.
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
