In brief
- ModStealer spreads through fake recruiter ads using obfuscated code.
- It targets browser wallets and hides by disguising itself as a background helper.
- The malware poses a direct threat to crypto users and platforms, Decrypt was told.
A new malware strain that can slip past antivirus checks and steal data from crypto wallets on Windows, Linux, and macOS systems was discovered on Thursday.
Dubbed ModStealer, it had remained undetected by major antivirus engines for almost a month at the time of disclosure, with its package being delivered through fake job recruiter ads targeting developers.
The disclosure was made by security firm Mosyle, according to an initial report from 9to5Mac. Decrypt has reached out to Mosyle to learn more.
Distributing through fake job recruiter ads was an intentional tactic, according to Mosyle, because it was designed to reach developers who were likely already using or had Node.js environments installed.
ModStealer “evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” Shān Zhang, chief information security officer at blockchain security firm Slowmist, told Decrypt. “Unlike traditional stealers, ModStealer stands out for its multi-platform support and stealthy ‘zero-detection’ execution chain.”
Once executed, the malware scans for browser-based crypto wallet extensions, system credentials, and digital certificates.
It then “exfiltrates the data to remote C2 servers,” Zhang explained. A C2, or “Command and Control” server, is a centralized system used by cybercriminals to manage and control compromised devices in a network, acting as the operational hub for malware and cyberattacks.
On Apple hardware running macOS, the malware sets itself up through a “persistence method” to run automatically every time the computer starts by disguising itself as a background helper program.
The setup keeps it running quietly without the user noticing. Signs of infection include a secret file called “.sysupdater.dat” and connections to a suspicious server, per the disclosure.
“Although common in isolation, these persistence methods combined with strong obfuscation make ModStealer resilient against signature-based security tools,” Zhang said.
The discovery of ModStealer comes on the heels of a related warning from Ledger CTO Charles Guillemet, who disclosed Tuesday that attackers had compromised an NPM developer account and attempted to spread malicious code that could silently replace crypto wallet addresses during transactions, putting funds at risk across multiple blockchains.
Although the attack was detected early and failed, Guillemet later noted that the compromised packages had been hooked to Ethereum, Solana, and other chains.
“If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything.” Guillemet tweeted hours after his initial warning.
Asked about the new malware’s possible impact, Zhang warned that ModStealer poses a “direct threat to crypto users and platforms.”
For end-users, “private keys, seed phrases, and exchange API keys may be compromised, resulting in direct asset loss,” Zhang said, adding that for the crypto industry, “mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust and amplifying supply chain risks.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.