ModStealer, a new piece of malware uncovered by Apple device security firm Mosyle on Thursday, quietly stole data from users for nearly a month before detection. The software runs on macOS, Windows and Linux.
It spreads through fake recruiter ads and hides in a heavily obfuscated JavaScript file. Mosyle says the code targets 56 browser wallet extensions, aims to grab private keys and credential files, and sends stolen data to a server that looks like it is in Finland but links back to infrastructure in Germany.
Malware discovery
Mosyle found ModStealer after seeing signs of unusual activity on managed devices. The code had slipped past standard antivirus tools. Researchers say the file was built to evade signature checks.
It ran like a normal script at first glance. That allowed it to move under the radar for weeks.
How does the attack start?
The campaign begins with bogus job posts aimed at software developers. The ads lure victims to download what appears to be a recruitment or test file. That file carries a hidden JavaScript payload.
Once executed, the payload runs preloaded scripts that look for popular wallet extensions in the user’s browsers. The fake file is the trick that opens the door.
What the malware does?
ModStealer focuses on data theft, and it can read clipboard contents and capture the screen. It can also run code from afar, which gives attackers a wide range of options.
On macOS, the malware keeps itself active by abusing Apple’s launchctl tool and installs as a LaunchAgent. That makes it run every time the device starts. The stolen files include wallet keys, configuration files, certificates, and other credential material.
Also Read: Crypto Hackers Exploit Ethereum Smart Contracts To Hide Malware From Security Scanners
Targets and scope
Mosyle’s report notes 56 browser wallet extensions on the hit list. Safari is included, and the malware aims for the places where users store private keys and session info.
Windows and Linux users are at risk as well. The cross-platform design shows that the attackers built the tool to work across many environments.
Reports say the stolen data is sent to a remote server that appears to be based in Finland. Mosyle’s analysis also links that server to infrastructure in Germany.
The split setup may be meant to confuse investigators about the operators’ real location. Researchers flagged the verification and routing as deliberate steps to hide the origin of the campaign.
Malware as a service
Mosyle warned that ModStealer fits a growing model where developers sell infostealers to affiliates. That lets low-skilled criminals run advanced campaigns without writing the code themselves.
The model spreads risk and scales attacks, and it also speeds up the weaponisation of new tricks that bypass older defences.
Broader crypto risk and supply chain scare
The ModStealer discovery comes as the crypto community reels from another incident. On Monday, we reported, Ledger CTO Charles Guillemet urged users to stop on-chain moves after a major NPM supply chain attack.Â
The attackers used spoofed support emails to steal developer credentials. They then tried to publish malicious packages that could swap destination addresses on Ethereum, Solana and other chains.
By early Tuesday, teams including Uniswap, MetaMask, OKX Wallet, Sui, Aave, Trezor and Lido reported they were not affected. Security group SEAL Org said the narrow outcome was lucky. The group warned that a compromised account with widely used packages could have been catastrophic.
Mosyle told readers that signature-based detection is not enough. The firm urged continuous monitoring and behaviour-based defences.
It also called for stronger user awareness around recruiter-style lures and unexpected downloads. Developers and security teams need to watch for odd approvals, new LaunchAgents on macOS, and unexplained outbound connections.