New “ModStealer” Malware Targets Crypto Wallets, Evades Antivirus Detection

A new malware named "ModStealer" targets crypto wallets and remains undetected by major antivirus software.

Active on macOS, Windows, and Linux systems for about a month before detection.
Disguised as fake job recruiter ads targeting developers, employing deception similar to social engineering scams.
Aims to steal sensitive data, including credential files, configuration details, and certificates.
Utilizes a heavily obfuscated JavaScript file with NodeJS to evade traditional security tools.

Operation Details

Establishes persistence on macOS using Apple's launchctl tool, running in the background as a LaunchAgent.
Data sent to a server in Finland but linked to German infrastructure to obscure the operator's location.
Targets 56 different browser wallet extensions, including Safari, to extract private keys.
Capable of capturing clipboard data, taking screenshots, and executing remote code for full device control.

This discovery comes amid other security breaches in the crypto sector, such as a recent NPM supply chain attack aiming to hijack transactions across chains like Ethereum (ETH) and Solana (SOL).

Attackers stole approximately $1,000, which is minor compared to larger heists.

Mosyle researchers suggest ModStealer may be part of a "Malware-as-a-Service" (MaaS) operation, indicating the need for behavior-based defenses alongside signature-based protections.