Simply put
- ModStealer employs obfuscated code to infiltrate systems through fake recruitment advertisements.
- This malware specifically targets browser wallets while masquerading as a background helper.
- It represents a significant risk to cryptocurrency users and platforms, as reported by decryption sources.
A new strain of malware was identified on Thursday, capable of stealing data from crypto wallets across Windows, Linux, and MacOS systems—potentially bypassing antivirus protections.
Named ModStealer, this malware is distributed via fake job ads aimed at developers and has remained undetected by major antivirus solutions for nearly a month following its discovery.
The revelation came from security firm Mosyle, as noted in a report from 9to5mac. Decryption reached out to Mosyle for further insights.
According to Mosyle, the choice to distribute this malware via faux job ads was deliberate, targeting developers who likely have a Node.js environment already set up.
ShānZhang, CISO at blockchain security firm SlowMist, noted that ModStealer “can elude mainstream antivirus solutions and poses serious risks to the wider digital asset ecosystem.” It distinguishes itself with its multi-platform capabilities and its stealthy “zero-detect” execution.
Once activated, the malware scans browser-based crypto wallet extensions, retrieves system credentials, and examines digital certificates.
Zhang explained that this information is then sent to a remote Command and Control (C2) server, which serves as a centralized control point for cybercriminals managing compromised devices.
On MacOS devices, ModStealer utilizes a “persistent method” to ensure it runs automatically at startup, disguising itself as a harmless background helper program.
The malware operates quietly, often with users unaware of its presence. Signs of infection may include a hidden file named “.sysupdater.dat” and links to dubious servers.
Zhang mentioned that while these persistent techniques are not uncommon, the level of obfuscation gives ModStealer a strong defense against signature-based security software.
The discovery of ModStealer coincides with a recent warning from Ledger’s CTO, Charles Guillemet. Attackers previously attempted to compromise NPM developer accounts, spreading malicious code that could silently alter crypto wallet addresses during transactions, putting funds across various blockchains at risk.
This earlier attack was caught in time and failed, but Guillemet observed that the targeted packages predominantly focused on Ethereum, Solana, and other blockchain networks.
Guillemet cautioned, “If your assets are stored in a wallet or software exchange, you could lose everything with a single code execution.” He reiterated this hours later in a tweet.
Addressing the potential effects of ModStealer, Zhang indicated that it poses a direct threat to cryptocurrency users and platforms.
For individual users, compromised private keys, seed phrases, and exchange API keys could result in significant asset losses. Zhang warned that extensive theft of browser extension wallet data could lead to larger exploits within blockchain networks, heightening supply chain vulnerabilities.
