ModStealer, a newly identified malware strain, has been quietly stealing cryptocurrency by targeting wallet extensions on macOS, Windows and Linux systems, security firm Mosyle warns.
Mosyle — an Apple-focused device-management and security platform — discovered the threat after spotting that ModStealer had gone undetected by major antivirus engines for weeks. “The malware has remained invisible to all major antivirus engines since first appearing on VirusTotal nearly a month ago,” the company said in a report shared with 9to5Mac.
Although Mosyle usually focuses on macOS threats, its analysis shows ModStealer is cross-platform by design and can run in Windows and Linux environments as well. The researchers also observed indicators that the malware may be offered as Malware-as-a-Service, a model that lets less technically skilled criminals deploy prebuilt malware in exchange for fees or a cut of profits.
Mosyle traced initial distribution to malicious job-recruiter ads that specifically target developers. The attackers embed a heavily obfuscated JavaScript payload that runs inside Node.js — an environment commonly used by developers and often granted elevated permissions during testing and deployment — making it both stealthy and effective at gaining access to sensitive developer resources.
Once installed, ModStealer functions as an infostealer: it’s preloaded to target at least 56 browser wallet extensions (including Safari) to harvest private keys. The malware can also read clipboard contents, take screenshots, and execute remote commands — capabilities Mosyle says could allow attackers “nearly complete control over infected devices.”
On macOS, ModStealer uses the system’s launchctl utility to persist by disguising itself as a legitimate background service so it runs at startup. Mosyle further reported that stolen data is forwarded to a server in Finland that connects to infrastructure in Germany, likely an attempt to hide the operators’ true location.
Mosyle warned that signature-based antivirus tools struggle to spot such highly obfuscated threats and urged developers not to rely solely on those protections.
“[..] Signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries.”
New dangers for Mac and Windows crypto users
With global cryptocurrency adoption accelerating, cybercriminals are intensifying efforts to design sophisticated attacks aimed at draining digital assets. ModStealer is just one of several threats drawing attention.
Earlier this month, analysts at ReversingLabs flagged an open-source malware hidden within Ethereum smart contracts, capable of deploying malicious payloads against unsuspecting crypto users.
