Undetectable crypto-stealing ModStealer malware targets wallets on Mac and Windows

Cybersecurity experts have uncovered a new variant of infostealer malware, specifically engineered to infiltrate cryptocurrency wallets across various platforms—Windows, Linux, and macOS—while remaining elusive to major antivirus solutions.

The new malware, named ModStealer, was discovered by Mosyle, a cybersecurity platform specializing in the management of Apple devices after it successfully evaded detection by conventional antivirus tools for weeks.

According to a report from Mosyle, “The malware has eluded detection by all major antivirus engines since it first appeared on VirusTotal nearly a month ago.”

While Mosyle typically focuses on threats directed at macOS, the firm has recognized that ModStealer can also effectively breach Windows and Linux systems.

There is evidence suggesting that ModStealer may function as a Malware-as-a-Service model, enabling cybercriminals with limited technical skills to deploy the malware seamlessly using ready-made malicious code.

This underground business model is characterized by the sale or leasing of malware kits by developers to affiliates in return for a subscription fee or commission.

Mosyle’s investigation revealed that ModStealer is being distributed through deceptive job recruiter advertisements mainly targeting software developers.

One of the critical features that make this malware challenging to detect is its use of “heavily obfuscated JavaScript code” within a Node.js environment.

Node.js environments are commonly used by developers, often granted elevated permissions during software testing and deployment, rendering them attractive targets for cybercriminals.

Developers are particularly vulnerable since they often handle sensitive credentials, access keys, and cryptocurrency wallets as part of their daily tasks, marking them as high-value targets.

As an infostealer, ModStealer’s primary objective is to exfiltrate data once it successfully infiltrates a victim’s system. The malware reportedly comes preloaded with malicious code designed to compromise at least “56 different browser wallet extensions, including Safari,” to pilfer crypto private keys.

Beyond this, ModStealer possesses various capabilities: it can extract data from clipboards, capture the victim’s screen, and execute malicious code remotely on the targeted system—giving cybercriminals “almost total control over infected devices,” Mosyle warns.

The discovery of the malware is particularly concerning due to its stealthy functionality. Undetectable malware poses a significant challenge for signature-based detection systems, allowing it to operate without being flagged.

On macOS, ModStealer can embed itself using the system’s launchctl tool, a built-in utility for managing background processes. This allows the malware to disguise as a legitimate service, ensuring it runs each time the device boots up.

Mosyle also determined that data harvested from victim systems is transmitted to a remote server located in Finland, with links to infrastructure in Germany—likely a tactic employed to obscure the true identity of the operators.

The security firm strongly advises developers against relying solely on signature-based protections.

“[..] Relying solely on signature-based protections is insufficient. Continuous monitoring, behavior-based defenses, and an awareness of emerging threats are crucial for staying ahead of malicious actors.”

Emerging Threats for Cryptocurrency Users on macOS and Windows

As global cryptocurrency adoption continues to surge, threat actors are increasingly devising sophisticated attack vectors to acquire digital assets. ModStealer is just one of many emerging threats that have attracted attention recently.

Earlier this month, researchers at ReversingLabs issued a warning about an open-source malware embedded in Ethereum smart contracts capable of deploying harmful payloads that specifically target crypto users.