A dangerous new strain of malware called ModStealer is spreading across Windows, macOS, and Linux, slipping under the radar of antivirus software and going after crypto wallets.
The Essentials
-
Cross-platform threat: ModStealer infects Windows, macOS, and Linux.
-
Fake job ads: The malware is distributed through fraudulent recruiter postings aimed at developers.
-
Crypto focus: It extracts wallet data, private keys, credentials, and more.
-
MaaS model: Experts warn this is part of the fast-growing Malware-as-a-Service economy.
Researchers at security company Mosyle revealed that ModStealer has managed to remain undetected since it first appeared on VirusTotal nearly a month ago, as reported by 9to5Mac.
How Victims Get Infected
Cybercriminals are using fake job recruitment ads to lure victims. Once targeted developers download and execute a malicious JavaScript file written in NodeJS, traditional signature-based defenses fail to flag it.
Unlike simple infostealers, ModStealer comes equipped with a wide range of capabilities. It specifically targets 56 browser wallet extensions, including Safari plug-ins, and can steal:
-
Private keys
-
Credentials
-
Configuration files
-
Digital certificates
It doesn’t stop there—clipboard hijacking, screenshot capture, and even remote code execution are built in, giving attackers near-total control of compromised systems.
On macOS, the malware leverages Apple’s launchctl tool, embedding itself as a LaunchAgent for persistence. Once established, it quietly observes user activity and exfiltrates data to a server believed to be hosted in Finland, though routed through German infrastructure.
Part of a Bigger Trend
Security analysts believe ModStealer is sold as part of the Malware-as-a-Service model, where developers provide the malicious software and affiliates deploy it without needing technical knowledge.
This aligns with broader industry findings—Jamf recently reported that Mac-focused infostealers jumped 28% in 2025, highlighting the rapid growth of these threats.
For crypto users, the stakes are especially high. With wallets and blockchain credentials in the crosshairs, the damage can be immediate and costly. Mosyle emphasized:
Please Register !
The campaign underlines the need for behavior-based security tools, as signature detection alone is no longer enough.
$3 Million Lost in Phishing Scam
In a separate but related event, a crypto investor recently lost $3.05 million in Tether (USDT) after unknowingly signing a malicious blockchain transaction.
The case, flagged by blockchain analytics firm Lookonchain, highlights how phishing continues to devastate digital asset holders. The attacker relied on a common oversight—victims checking only the first and last characters of wallet addresses instead of verifying the entire string.
According to CertiK’s latest report, crypto investors lost $2.2 billion in the first half of 2025 alone. Of that:
-
$1.7 billion came from wallet compromises across just 34 incidents.
-
$410 million was drained through phishing in 132 separate attacks.
These numbers reveal a disturbing reality: whether through malware like ModStealer or phishing tricks, crypto users remain prime targets for cybercriminals.
