Image by Brian J. Trom, from Unsplash
“ModStealer” Malware Targets Crypto Wallets, Evades Antivirus Detection
Reading time: 2 min
Last Updated: Sep 13, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
ModStealer is a new cross-platform malware that evades antivirus tools, spreads through fake job ads, and steals crypto wallets credentials.
In a rush? Here are the quick facts:
- ModStealer spreads through fake job ads targeting developers.
- Malware steals crypto wallets, credentials, and configuration details.
- It bypasses antivirus detection using obfuscated NodeJS code.
The cybersecurity company Mosyle detected a dangerous new malware that steals sensitive information while evading detection from standard antivirus systems. The security community discovered ModStealer malware on VirusTotal nearly a month ago yet has gone unnoticed by major security engines.
The findings, first detailed by 9to5Mac, show how ModStealer operates across multiple operating systems. The malware exists as a multi-platform tool which functions specifically to steal data from users. The malware distribution occurs through fake job recruitment advertisements targeting developers.
The disguised NodeJS JavaScript file runs on victim computers without triggering any alerts from typical antivirus software.
The malware’s primary target is personal data. The researchers found a programming code which targets cryptocurrency wallets, login credentials, configuration details, and certificates.
The malware contains pre-programmed attacks against 56 browser wallet extensions, including Safari, which enables hackers to steal private keys, and account details.
ModStealer is also capable of clipboard capture, screen capture, and even remote code execution. “The first two are bad, but the latter can give attackers nearly complete control over infected devices,” Mosyle explained, as reported by 9to5Mac.
On macOS, the malware uses Apple’s own launchctl tool to embed itself as a LaunchAgent, giving it persistence on infected machines. The malware functions in stealth mode, collecting system data which it then transfers to a Finnish server connected to a German-based infrastructure. In this way it hides the attackers’ actual location.
9to5Mac reports that Mosyle believes ModStealer is part of a growing Malware-as-a-Service market, where professional hackers sell ready-made malware to less skilled criminals.
“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough,” Mosyle warns, as reported by 9to5Mac.
Previous Story
Latest articles 
