ModStealer Malware Evades Antivirus While Targeting Crypto Wallets
A new malware strain, ModStealer, is actively stealing cryptocurrency wallet data and bypassing detection by all major antivirus engines, according to Apple security firm Mosyle.
Active for nearly a month, ModStealer is being distributed via malicious recruiter ads aimed at developers. The malware uses a heavily obfuscated NodeJS script, making its code unreadable to signature-based antivirus programs and allowing it to execute without detection.
Unlike typical Mac malware, ModStealer is cross-platform, affecting Windows and Linux systems as well. Its main objective is data exfiltration, targeting 56 browser wallet extensions to capture private keys, credentials, and certificates. The malware also supports clipboard hijacking, screen recording, and remote code execution, giving attackers near-total control over infected devices. On macOS, it achieves persistence using Apple’s LaunchAgent system.
Mosyle notes that ModStealer fits the Malware-as-a-Service model, where pre-built malware is sold to affiliates with limited technical skills. This approach has fueled a surge in infostealers, with Jamf reporting a 28% increase in 2025.
The malware continues a growing trend seen in npm package attacks, such as colortoolsv2 and mimelib2, which used Ethereum smart contracts to hide secondary malware stages. ModStealer demonstrates how cybercriminals are intensifying attacks across ecosystems to compromise developer environments and directly target cryptocurrency wallets.
