Highlights:
- ModStealer malware targets crypto wallets across Windows, macOS, and Linux systems undetected.
- Attackers spread ModStealer via fake job ads, exploiting Node.js developer environments.
- Experts warn ModStealer poses a major risk to digital assets and wallet security.
Cybersecurity researchers have identified a new infostealer malware designed to target cryptocurrency wallets. The malware can extract private keys and other sensitive information from Windows, Linux, and macOS systems while remaining undetected by major antivirus engines. Mosyle, a security platform specializing in Apple device management, discovered the malware, known as ModStealer, after it evaded detection for several weeks across major antivirus programs.
Advertisement
Researchers uncovered ModStealer, a cross-platform malware that drains crypto from browser wallets.
• It spreads via fake recruiter ads and hides as a background helper.
• Targets wallet extensions, credentials and seed phrases.
• Runs on Windows, Linux, and macOS.A single… pic.twitter.com/XFelomyumM
— Web3 Antivirus (@web3_antivirus) September 12, 2025
Malware Evades Detection Across Systems
According to Mosyle, the malware remained invisible to all major antivirus engines since first appearing on VirusTotal nearly a month ago. Although the company primarily focuses on Mac-based security threats, it warned that ModStealer is capable of infiltrating Windows and Linux-powered systems as well.
There are also indications that ModStealer might have been offered as Malware-as-a-Service. This model allows cybercriminals with limited technical skills to deploy it across multiple platforms using pre-made malicious code. Malware-as-a-Service is an underground business approach in which malicious developers sell or lease malware kits to affiliates. Affiliates typically pay a commission or subscription fee in exchange for access to these ready-to-use malware tools.
ModStealer Malware Threat and How It Spreads
Mosyle’s analysis found that attackers were spreading ModStealer through fake job recruiter ads, mainly targeting developers. The malware is hard to detect because it uses a heavily obfuscated JavaScript file within a Node.js environment.
Developers frequently handle sensitive credentials, access keys, and crypto wallets, which makes them valuable targets for cybercriminals. Node.js environments are commonly used by developers and often have elevated permissions during testing and deployment. This makes them appealing entry points for attackers.
As an infostealer, ModStealer’s primary goal is to exfiltrate data once it reaches a victim’s system. The malware comes preloaded with code that targets at least 56 different browser wallet extensions, including Safari, to steal crypto private keys. It can retrieve clipboard data, capture screens, and remotely execute malicious code. Mosyle warned that this gives attackers nearly complete control over infected devices.
“What makes this discovery so alarming is the stealth with which ModStealer operates. Undetectable malware is a huge problem for signature-based detection since it can quietly go unnoticed without being flagged,” it added. On macOS, ModStealer can integrate with the system’s launchctl tool, a built-in utility that manages background processes. This allows the malware to appear as a legitimate service and automatically run whenever the device starts. Mosyle also found that data taken from victims is sent to a server in Finland, linked to Germany, probably to hide the attackers’ location.
Industry Experts Warn of Serious Risks
Shan Zhang, chief information security officer at SlowMist, a blockchain security company, revealed that ModStealer bypasses mainstream antivirus software and poses a major risk to the digital asset ecosystem. He added that its multi-platform support and stealth execution set it apart from traditional malware. Charles Guillemet, Ledger CTO, disclosed a similar attack targeting a Node Package Manager (npm) developer account to spread malicious code. He warned that such attacks can silently replace wallet addresses during transactions.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
— Charles Guillemet (@P3b7_) September 9, 2025
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
