New ModStealer malware hunts crypto wallets with fake recruiter ads, evades antivirus detection

Apple device management and security firm Mosyle uncovered new malware dubbed "ModStealer" on Thursday — undetected by antivirus tools since first appearing nearly a month ago.

The malware doesn't just target macOS systems, but is cross-platform and purpose-built for stealing data, Mosyle told 9to5Mac. ModStealer's chief purpose is data theft — particularly targeting cryptocurrency wallets, credential files, configuration details, and certificates.

Mosyle found that ModStealer is spreading via fake recruiter ads targeting developers. The malware uses a heavily obfuscated JavaScript file to evade detection and includes pre-loaded scripts targeting 56 browser wallet extensions, including Safari, designed to extract private keys and sensitive account data. Windows and Linux systems are also at risk, according to Mosyle's analysis.

Furthermore, Mosyle's researchers discovered that ModStealer is capable of clipboard and screen capture, as well as remote code execution, giving attackers near-total control of infected devices. On macOS, it persists by abusing Apple's launchctl tool to run as a LaunchAgent, silently exfiltrating data to a remote server that appears to be located in Finland but linked to infrastructure in Germany — likely designed to mask the operators' real location.

The researchers added that ModStealer fits the growing Malware-as-a-Service "business model" increasingly popular among cybercriminal gangs, where ready-made infostealers are sold to affiliates with minimal technical skills.

"For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough," Mosyle said. "Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries."

Crypto malware attacks on the rise

On Monday, Ledger CTO Charles Guillemet warned crypto users to halt onchain transactions following a widespread Node Package Manager supply chain attack. The attackers used spoofed NPM support emails to steal developer credentials, allowing them to publish malicious packages designed to hijack crypto transactions across Ethereum, Solana, and other chains by secretly swapping destination addresses.

However, Guillemet later said the attack had "fortunately failed," impacting "almost no victims," with Arkham tracking data suggesting that just $1,000 in crypto was stolen before the compromise was detected and shut down. "The immediate danger may have passed, but the threat hasn't," Guillemet wrote on X, urging users to favor hardware wallets and clear signing protections.

By early Tuesday, multiple crypto teams, including Uniswap, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido, reported they were not affected. Security collective SEAL Org called the outcome "lucky," noting a compromised account with packages downloaded "billions" of times weekly could have yielded "untold riches" had the payload been stealthier.

Last week, a report by ReversingLabs also found that threat actors were using Ethereum smart contracts to conceal two NPM packages used to spread malicious instructions before the malware family was taken down.

Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.