- ModStealer malware steals crypto wallet data on macOS, Windows, and Linux systems.
- It primarily spreads through fake recruiter ads using undetected JavaScript code tasks.
- Researchers warn that antivirus tools miss the malware, highlighting the need for new defenses.
A newly discovered malware named ModStealer is targeting crypto users on macOS, Windows, and Linux, threatening wallets and access credentials. Apple-focused security firm Mosyle uncovered the strain after finding it remained undetected by major antivirus engines for nearly a month. According to sources, the malware was uploaded to VirusTotal, an online platform that checks files for malicious content.
Mosyle reported that ModStealer is designed with pre-loaded code capable of extracting private keys, certificates, credential files, and browser-based wallet extensions. The firm discovered targeting logic for multiple wallets, including those installed on Safari and Chromium-based browsers.
The researchers said ModStealer persists on macOS by registering as a background agent. They traced the malware’s server infrastructure to Finland but believe its route passes through Germany to obscure its operators’ location.
Distribution Through Deceptive Recruitment
The analysis revealed that ModStealer is spreading through fake recruiter ads targeting developers. Attackers send job-related tasks embedded with a heavily obfuscated JavaScript file designed to bypass detection. That file contains pre-loaded scripts aimed at 56 browser wallet extensions, including Safari, enabling the theft of keys and sensitive data.
Mosyle confirmed that both Windows and Linux systems are also vulnerable. This makes ModStealer one of the few active threats with a broad cross-platform reach.
The firm stated that ModStealer aligns with the Malware-as-a-Service (MaaS) profile. Under this model, cybercriminals build ready-made infostealer kits and sell them to affiliates who may lack technical skills. This trend has accelerated attacks in 2025, with Jamf reporting a 28% rise in infostealer activity this year.
Mosyle noted, “For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries.”
Expanding Capabilities of Infostealers
ModStealer has quite a few other capabilities besides stealing extensions. It will hijack the clipboard by substituting copied wallet addresses for those belonging to the attackers. This allows the attackers to execute remote code, capture screens, or exfiltrate files.
On macOS, malware leverages LaunchAgents to ensure persistence. This keeps the malicious program working even after system reboots, posing a long-term risk to the infected machines.
Mosyle explained that ModStealer’s build closely resembles the structure of other MaaS platforms. Affiliates gain access to full-function malware kits and can customize their attacks. The firm added that this model is fueling the expansion of infostealers across different operating systems and industries.
Earlier in 2025, attacks through malicious npm packages, compromised dependencies, and fake extensions revealed how adversaries enter into otherwise trusted environments for developers. ModStealer, being the next step in such evolution, manages to embed itself in legitimate-looking workflows so that it becomes even harder to detect.
Related: U.S. Sanctions North Korean IT Worker for Crypto Cybercrime Links
A Shift From Code Bugs to Trust Manipulation
Security breaches have historically emerged in the crypto scene because of vulnerabilities in smart contract or wallet software. But ModStealer is involved in a paradigm shift. Its attackers are no longer merely exploiting bugs or zero-days; they’re hijacking trust.
They manipulate how developers interact with recruiters, assume tools are safe, and rely heavily on known antivirus protections. This approach makes the human element the weakest link in cybersecurity.
Security experts advise a stringent approach. Users must isolate wallet activities by using separate machines or virtual environments. Developers should scrutinize recruiter tasks very carefully and investigate sources and repositories before executing the code. They also recommend moving away from purely signature-based antivirus systems and toward behavior-based antivirus detection tools, EDR solutions, and runtime monitoring.
Other expert recommendations include regular audits of browser extensions, restricted permissions, and software updates. They argue that doing so will reduce the ModStealer-based threat exposure.
