A new malware strain that can slip past antivirus checks and steal data from crypto wallets on Windows, Linux, and macOS systems was discovered on Thursday.
Dubbed ModStealer, it had remained undetected by major antivirus engines for almost a month at the time of disclosure, with its package being delivered through fake job recruiter ads targeting developers.
The disclosure was made by security firm Mosyle, according to an initial report from 9to5Mac. Decrypt has reached out to Mosyle to learn more.
Distributing through fake job recruiter ads was an intentional tactic, according to Mosyle, because it was designed to reach developers who were likely already using or had Node.js environments installed.
ModStealer “evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” Shān Zhang, chief information security officer at blockchain security firm Slowmist, told Decrypt. “Unlike traditional stealers, ModStealer stands out for its multi-platform support and stealthy ‘zero-detection’ execution chain.”
Once executed, the malware scans for browser-based crypto wallet extensions, system credentials, and digital certificates.
Hackers Using Ethereum Smart Contracts to Deliver Malware: Report
It then “exfiltrates the data to remote C2 servers,” Zhang explained. A C2, or “Command and Control” server, is a centralized system used by cybercriminals to manage and control compromised devices in a network, acting as the operational hub for malware and cyberattacks.
On Apple hardware running macOS, the malware sets itself up through a “persistence method” to run automatically every time the computer starts by disguising itself as a background helper program.
The setup keeps it running quietly without the user noticing. Signs of infection include a secret file called “.sysupdater.dat” and connections to a suspicious server, per the disclosure.
“Although common in isolation, these persistence methods combined with strong obfuscation make ModStealer resilient against signature-based security tools,” Zhang said.
Crypto Users Warned to Stop Transacting as Massive Exploit Threatens Apps and Wallets
The discovery of ModStealer comes on the heels of a related warning from Ledger CTO Charles Guillemet, who disclosed Tuesday that attackers had compromised an NPM developer account and attempted to spread malicious code that could silently replace crypto wallet addresses during transactions, putting funds at risk across multiple blockchains.
Although the attack was detected early and failed, Guillemet later noted that the compromised packages had been hooked to Ethereum, Solana, and other chains.
