New ModStealer Malware Targets Crypto Users on Multiple Platforms
A new infostealer malware called ModStealer is targeting crypto users on macOS, Windows, and Linux. It steals information from crypto wallets and user credentials.
Apple-focused security firm Mosyle discovered the malware. It remained undetected by major antivirus engines for nearly a month after being uploaded to VirusTotal, a file scanning service.
ModStealer spreads through malicious job postings aimed at developers. It uses heavily obfuscated JavaScript files written in NodeJS, making it invisible to signature-based antivirus tools.
“The malware’s main goal is data exfiltration, focusing on cryptocurrency wallets, credential files, configuration details, and certificates,” Mosyle said. It targets wallet extensions for Safari and Chromium-based browsers.
ModStealer’s Complex Infrastructure and Persistence
On macOS, ModStealer installs itself as a background agent using Apple’s launchctl tool. This allows it to stay hidden and run continuously on infected machines.
The malware’s command server appears to be hosted in Finland but is routed through Germany to conceal the operators’ location.
Mosyle warns that signature-based antivirus alone is insufficient. They recommend continuous monitoring, behavior-based defenses, and awareness of new threats to protect users.
ModStealer likely operates as Malware-as-a-Service (MaaS). This model lets creators sell malware packages to affiliates, a growing trend among cybercriminal groups spreading infostealers.
Increase in Crypto-Related Hacks Continues
Crypto hacks have surged recently. Blockchain security firm PeckShield reported hackers stole over $142 million in 17 attacks last month.
This amount is 27.2% higher than the $111.6 million stolen in June 2025.
For more details, visit 9to5Mac and CryptoTimes.
