ModStealer Malware Targets Crypto Wallets, Avoids Antivirus Detection
A newly discovered malware strain, ModStealer, is actively targeting browser-based cryptocurrency wallets while evading detection by all major antivirus programs, according to Apple security firm Mosyle.
The malware has been live for nearly a month and is being distributed through malicious recruiter ads targeting developers. It employs a heavily obfuscated NodeJS script, scrambling its code to bypass traditional signature-based defenses. This allows ModStealer to execute instructions undetected on infected systems.
ModStealer is cross-platform, affecting macOS, Windows, and Linux devices. Its primary function is data theft, with preloaded instructions targeting 56 browser wallet extensions to extract private keys, credentials, and certificates. Additional capabilities include clipboard hijacking, screen capture, and remote code execution, giving attackers near-total control. On macOS, it persists through Apple’s LaunchAgent system.
Mosyle highlights that ModStealer follows the Malware-as-a-Service model, where ready-made malware is sold to affiliates with limited technical expertise. This business model has fueled a surge in infostealers, with Jamf reporting a 28% increase in 2025 alone.
The malware’s discovery follows recent npm-focused attacks, such as colortoolsv2 and mimelib2, which leveraged Ethereum smart contracts to conceal secondary malware. ModStealer demonstrates how cybercriminals are escalating tactics, directly targeting crypto wallets and developer environments across multiple platforms.
