Security firm Mosyle has identified ModStealer, a new cross-platform malware capable of bypassing antivirus software to exfiltrate assets from browser-based cryptocurrency wallets on Windows, Linux, and macOS systems.

Executive Summary

Mosyle, a leader in Apple device management and security, has identified ModStealer, a new cross-platform infostealer malware. ModStealer targets macOS, Windows, and Linux environments, specifically designed to bypass traditional antivirus detection. Its primary objective is the exfiltration of sensitive data, focusing on cryptocurrency wallets, credential files, configuration details, and digital certificates. The malware spreads through malicious job advertisements, primarily targeting developers, who often possess high-value digital assets.

The Event in Detail

ModStealer has remained undetected by major antivirus engines for nearly a month since its appearance on VirusTotal. The malware is delivered through malicious job recruiter ads that target developers, leveraging their common use of Node.js environments. It operates using a heavily obfuscated JavaScript file written with NodeJS, contributing to its evasion of signature-based defenses. Mosyle's analysis reveals pre-loaded code capable of extracting private keys and sensitive account information from 56 different browser wallet extensions, including Safari. Beyond crypto theft, ModStealer features clipboard capture, screen capture, and remote code execution, granting attackers extensive control over infected systems. On macOS, it ensures persistence by abusing Apple's launchctl tool, embedding itself as a LaunchAgent to continuously monitor activity and exfiltrate data to remote servers. Mosyle suggests ModStealer aligns with the profile of Malware-as-a-Service (MaaS). Shān Zhang, Chief Information Security Officer at blockchain security firm Slowmist, characterized ModStealer as unique due to its "multi-platform support and stealthy 'zero-detection' execution chain."

Market Implications

The discovery of ModStealer heightens security risks across the digital asset ecosystem, particularly for users of browser-based cryptocurrency wallets. The malware's ability to remain undetected by mainstream antivirus solutions underscores the limitations of signature-based protections and necessitates advanced behavioral defenses. For individual users, private keys, seed phrases, and exchange API keys are at risk of compromise, potentially leading to direct asset loss. For the broader crypto industry, mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust and amplifying supply chain risks. The targeting of developers through deceptive job ads highlights a critical vulnerability in the software supply chain, a vector previously exploited in significant attacks like the NPM supply chain attack, which impacted packages with over 2 billion weekly downloads. This past incident also demonstrated how malicious code can gain access to the same JavaScript execution context as Web3 wallets within browser environments, facilitating sophisticated transaction manipulation.

Expert Commentary

Shān Zhang of Slowmist stated that ModStealer "poses significant risks to the broader digital asset ecosystem," emphasizing its "multi-platform support and stealthy 'zero-detection' execution chain." Zhang further warned that for end-users, "private keys, seed phrases, and exchange API keys may be compromised, resulting in direct asset loss." He added that for the crypto industry, "mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust and amplifying supply chain risks." Mosyle stressed the inadequacy of signature-based protections alone, advocating for continuous monitoring, behavior-based defenses, and awareness of emerging threats.

Broader Context

The attack vector, using fake job offers to target developers, echoes tactics employed by financially motivated threat actors like EncryptHub (aka LARVA-208 and Water Gamayun), who previously targeted Web3 developers with information stealer malware like Fickle through deceptive AI platforms. These groups target Web3 developers due to their access to crypto wallets, smart contract repositories, and sensitive test environments, often operating across multiple decentralized projects without traditional enterprise security controls. The incident highlights the evolving sophistication of cryptocurrency theft capabilities, which combine advanced obfuscation, cross-chain support, and intelligent address replacement algorithms. This context underscores the critical importance of Web3 security awareness and the need for robust security measures, including proactive phishing protection and transaction analysis tools like Wallet Guard, when interacting with cryptocurrency applications, particularly as decentralized finance continues to grow.