Cybersecurity researchers at Mosyle, a device management and security provider, have discovered a new and highly stealthy malware strain, according to a report first shared with 9to5Mac. Called ModStealer that has been evading detection by all major antivirus tools for nearly a month.
This discovery is particularly alarming for users on macOS, Linux and Windows systems, with the malware designed specifically for data theft, with a strong focus on cryptocurrency wallets.
ModStealer is a sophisticated malware primarily targeting developers through malicious job recruitment ads, tricking users into executing a heavily obfuscated JavaScript file built using NodeJS. This code obfuscation technique allows it to bypass traditional signature-based antivirus defenses, which rely on recognizing known patterns of malicious code.
It’s primary goal is data exfiltration. It focuses on stealing:
Cryptocurrency wallet private keys and credentials from 56 popular browser wallet extensions, including those on Safari and Chromium-based browsers.
Configuration files, certificates, and other sensitive credentials.
Clipboard data and screenshots, providing attackers with ongoing surveillance capabilities.
Further compounding the risk, ModStealer supports remote code execution, potentially granting attackers near-total control over the infected devices.
Persistence
On macOS, ModStealer achieves persistence by abusing Apple’s launchctl utility, embedding itself as a LaunchAgent. This means it can remain operational and undetected on a system for a long time, silently monitoring activity and sending stolen information to remote servers.
Researchers note that the data is sent to servers appearing to be located in Europe with routing to potentially obscure the operators’ true locations. ModStealer fits the profile of Malware-as-a-Service (MaaS), where malware developers create ready-made malicious tools sold to affiliates who may lack advanced technical skills. This business model has been gaining popularity among cybercriminal groups as it lowers the barrier to entry for launching sophisticated cyberattacks.
This trend aligns with recent reports showing a significant increase in infostealer malware in 2025, making it one of the most prevalent types of threats to Apple devices and beyond.
Mosyle’s findings show how relying on common antivirus protection such as signature-based detection isn’t sufficient. Instead, a multi-layered approach is necessary, combining:
- Continuous monitoring and behavioral analysis to detect suspicious activity.
- Wariness with unexpected job offers or recruitment ads, especially those asking to download or execute files.
- Segmentation of environments, especially keeping sensitive cryptocurrency wallets on separate, secured devices or hardware wallets.
- Use of virtualization or sandbox environments to open unverified files safely.
- Regular updates and adherence to cybersecurity best practices.
ModStealer underscores how cyber threats are evolving rapidly, becoming more stealthy and adaptable across platforms. It serves as an important reminder for IT professionals, developers, and end-users to adopt proactive security measures and stay vigilant against emerging threats.
Stay informed, back up your data, and ensure your security solutions evolve to meet the challenges of today’s digital landscape.
Leave a Reply