TL;DR
- Mosyle discovered ModStealer, a cross-platform malware that is nearly undetectable and targets cryptocurrency wallets and sensitive data.
- The virus spreads through fake recruiter ads and uses obfuscated JavaScript to bypass defenses, giving attackers near-total control of infected devices.
- On macOS it abuses launchctl to persist and exfiltrate data to a server in Finland tied to German infrastructure that hides the operators’ true location.
Mosyle, a company focused on Apple device management and security, identified a new malware named ModStealer that impacts macOS, Windows, and Linux.
The malicious software went undetected by major antivirus engines for nearly a month and is designed to steal information, particularly cryptocurrency wallets, credentials, configuration files, and certificates. The investigation revealed that ModStealer includes code aimed at 56 browser wallet extensions, including Safari, with the ability to extract private keys and sensitive user data.
How Does ModStealer Work?
Mosyle found that the malware spreads through fake recruitment ads targeting developers. Attackers distribute a heavily obfuscated JavaScript file that can evade signature-based defenses. Once installed, the malware gives attackers clipboard capture, screen capture, and remote code execution capabilities, granting near-total control of compromised systems.
On macOS, the program ensures persistence by exploiting Apple’s launchctl tool to run as a LaunchAgent. This allows it to operate discreetly while exfiltrating stolen information to a server located in Finland but tied to infrastructure in Germany, likely to conceal the operators’ true whereabouts.
Malware-as-a-Service
Mosyle believes ModStealer fits into the Malware-as-a-Service model, where developers create ready-to-use packages that are sold to affiliates with little technical expertise. This approach has become increasingly common and has fueled the spread of infostealers. Recent reports highlight a 28% increase in this type of malware on Mac systems in 2025, making it the most prevalent family.
Mosyle’s discovery comes alongside a series of attacks aimed at the crypto ecosystem. Days ago, Ledger CTO Charles Guillemet warned users to halt on-chain transactions after a Node Package Manager supply chain attack was detected.
Attackers attempted to use spoofed support emails to steal developer credentials and publish malicious packages capable of diverting transactions on Ethereum, Solana, and other networks. The impact was limited, with estimated losses of about $1,000, but the potential scale underscored the severity of the threat. Teams such as Uniswap, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido confirmed they were not affected.
The discovery of ModStealer and these recent incidents demonstrate the urgent need to adopt security measures that go beyond traditional defenses. Continuous monitoring, behavior-based analysis, and the use of robust custody tools are essential mechanisms to mitigate risk
