While the crypto industry is going through various security breaches, ModStealer, a new infostealer malware, is targeting crypto users on macOS, Windows, and Linux systems. Experts note that this malware can steal information on crypto wallets and access credentials of users.
According to information from 9to5mac, Apple-focused security company Mosyle found the malware, which even major antivirus engines failed to catch for almost a month after it was uploaded to VirusTotal, an online service that checks files for harmful content.
The report cites that the ModStealer is being delivered to victims through malicious job postings, specifically targeting developers. Using heavily obfuscated JavaScript files written with NodeJS, the malware remains completely undetectable by signature-based defenses.
“The malware’s main goal is data exfiltration, with a particular focus on cryptocurrency wallets, credential files, configuration details, and certificates,” Mosyle said. The security researchers also found targeting logic for different wallets, such as extensions for Safari and Chromium-based browsers.
Malware’s perplexing infrastructure
The security company said that the malware stays on macOS by using the system to register as a background agent. While its server seems hosted in Finland, it is believed that the infrastructure is routed through Germany to hide where the operators are from.
“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” Mosyle warns.
On macOS, the malware stays on a victim’s Mac for a long time and is hard to find by using Apple’s own launchctl tool to install itself as a LaunchAgent. From there, it watches what people do and sends sensitive data to a server far away.
Mosyle thinks that the ModStealer fits the description of Malware-as-a-Service (MaaS). This is where people who make malware make and sell harmful packages to affiliates. This kind of business model has become more and more popular among cybercriminal gangs, especially when it comes to spreading infostealers.
Rise in Crypto Related Hacks
Crypto hacks have been on the rise for the past few months. PeckShield, a blockchain security firm, says that the hackers stole over $142 million in 17 attacks last month. The amount is 27.2% higher than that of $111.6 million in June 2025.
Also Read: Radiant Hacker Moves $26.7 Million in Stolen Funds to Ethereum
