A new strain of malware built to steal crypto wallet data is moving past every major antivirus software, according to security firm Mosyle.
Mosyle, Apple’s official security provider, said in a statement that malware called ModStealer is hijacking the systems and stealing data, including clipboard hijacking, screen capture, and remote code execution – that is, losing almost all control of the affected device.
How do they do this?
Modstealer is reaching out to its victims through fake job recruiter ads, especially targeting developers, according to Mosyle’s analysis. They are designed using heavily encrypted codes undetectable by signature-based defenses, such as Windows, Linux, and Mac.
A key factor in ModStealer’s danger is its use of obfuscation. That is, the code is deliberately made complicated, making it invisible to traditional, signature-based antivirus software that relies on simpler, unaltered malicious code.
Its major focus is on data exfiltration, particularly the systems with crypto wallets, credentials, and other private files.
Impacts of Modstealer
Analysts at Mosyle said the malware threatens both the financial assets and digital security of their victim. The report says it has the capabilities for extracting private keys from over 50 browser extensions, including those used in Apple’s Safari browser.
On MacOS, the malware can secretly stay on a victim’s computer for a long time by abusing Apple’s own launchctl tool, embedding itself as a Launch Agent, to run itself automatically in the background, silently.
“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” Mosyle warns.
ModStealer shows that hackers are getting more clever. They are now targeting all types of computers to sneak into developer systems and steal cryptocurrency directly.
