Cross-OS Malware ‘ModStealer’ Threatens Crypto Wallets

Researchers from the security company Mosyle found that the malware had been uploaded to VirusTotal but had gone unnoticed by antivirus tools for almost a month.

The malware is written in JavaScript using NodeJS and conceals its code to evade detection.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Candlesticks, Trendlines & Patterns Easily Explained (Animated Examples)

SUBSCRIBE

ON YOUTUBE

Once installed, ModStealer runs in the background. It collects information such as wallet keys, certificates, account files, and browser extensions linked to crypto wallets.

Mosyle’s team identified code targeting more than 50 wallet extensions, including those on Safari and Chromium-based browsers.

The malware also records clipboard content, takes screenshots, and can run commands from a remote server. These features give attackers access to private information and control over infected systems.

On macOS, ModStealer exploits Apple’s launchctl tool to run as a LaunchAgent. This allows the malware to remain active even after a reboot. The stolen data is sent to a server that appears to be based in Finland but is connected to infrastructure in Germany.

Mosyle stated that ModStealer may be part of a Malware-as-a-Service model. In such setups, developers create the malware and sell it to affiliates, who then launch attacks without requiring deep technical skills.

Mosyle warned that antivirus tools that rely only on signatures are not enough to stop such threats. They recommend constant monitoring, behavior-based security systems, and more awareness of new attack methods.

Lucija Valentić at ReversingLabs recently reported that hackers have discovered a new method for spreading malicious software by using Ethereum ETH $4,591.15 smart contracts. How? Read the full story.