ModStealer Malware Targets Crypto Wallets on Mac, Windows, Linux

Researchers from Mosyle have uncovered ModStealer, a sophisticated cross-platform malware targeting cryptocurrency wallets on Windows, Linux, and macOS that evades detection by major antivirus engines. Distributed via fake job recruiter ads aimed at developers, ModStealer leverages heavily obfuscated JavaScript within Node.js environments to infiltrate systems and steal sensitive data such as private keys, credentials, and certificates from browser wallet extensions. On macOS, it persists stealthily by exploiting the launchctl tool and disguising itself as a background helper process, exfiltrating stolen data to servers linked to infrastructure in Europe to conceal operators' locations. This malware exemplifies the growing Malware-as-a-Service trend, allowing affiliates with limited expertise to deploy ready-made malicious packages, posing serious risks to the broader digital asset ecosystem. Experts highlight ModStealer's multi-platform capability and stealthy, zero-detection execution chain as factors that distinguish it from traditional stealers, emphasizing the need for heightened vigilance among developers and users of crypto wallets. The malware's deployment through trusted-looking online channels further complicates detection, underscoring a troubling evolution in cybersecurity threats targeting digital assets.