Security firm Mosyle has revealed ModStealer, a cross-platform malware that avoids antivirus software and targets browser wallets.
A novel malware variant capable of evading antivirus inspections and extracting data from cryptocurrency wallets on Windows, Linux, and macOS platforms was found on Thursday.
Dubbed ModStealer, it had been undetected by major antivirus engines for almost a month when it was disclosed. Its package had been delivered through fake job recruiter advertisements that targeted developers.
According to Mosyle, distributing the malware via fake job recruiter advertisements was a deliberate strategy. It was intended to target developers who likely already had or were using Node.js environments.
According to Shān Zhang, chief information security officer at blockchain security firm Slowmist, ModStealer “avoids detection by mainstream antivirus solutions and poses substantial risks to the broader digital asset ecosystem.” Zhang told that “unlike conventional stealers, ModStealer is notable for its multi-platform support and a secretive ‘zero-detection’ execution chain.”
Malware Targets Browser Crypto Wallets and System Credentials After Execution
After its execution, the malware scans for browser-based crypto wallet extensions, system credentials, and digital certificates.
The malware then “exfiltrates the data to remote C2 servers,” explained Zhang. A Command and Control (C2) server is a centralized system used by cybercriminals to manage compromised devices within a network. It acts as the operational hub for malware and cyberattacks, receiving stolen data and issuing new commands.
On Apple hardware that runs macOS, the malware is established using a “persistence method.” This allows it to run automatically each time the computer starts by camouflaging itself as a background helper program.
The configuration allows it to operate discreetly without the user’s awareness. According to the disclosure, indicators of infection include a hidden file named “.sysupdater.dat” and connections to a suspicious server.
Zhang noted that while common on their own, these persistence methods, when combined with strong obfuscation, make ModStealer resistant to signature-based security tools.
The discovery of ModStealer follows a related warning from Ledger CTO Charles Guillemet. He had disclosed on Tuesday that attackers had compromised an NPM developer account and tried to disseminate malicious code that could silently substitute crypto wallet addresses during transactions, which put funds at risk across numerous blockchains.
Although the attack was discovered early and ultimately failed, Guillemet later noted that the compromised packages had been linked to Ethereum, Solana, and other chains.
Hours after his initial warning, Guillemet tweeted that if your funds are in a software wallet or on an exchange, you’re “one code execution away from losing everything.”
When asked about the new malware’s potential impact, Zhang warned that ModStealer poses a “direct threat to crypto users and platforms.”
According to Zhang, “private keys, seed phrases, and exchange API keys may be compromised for end-users, leading to a direct loss of assets.” He added that for the crypto industry, “the large-scale theft of browser extension wallet data could set off widespread on-chain exploits, which would erode trust and increase supply chain risks.”
