Security researchers have identified a new malware called ModStealer that targets crypto wallets on Windows, macOS, and Linux. The malware is designed to steal private keys and sensitive information while remaining undetectable by most antivirus programs.
How ModStealer Operates
ModStealer is distributed through fake job recruiter advertisements, often aimed at developers who handle sensitive credentials and crypto wallet keys. The malware is built using heavily obfuscated JavaScript within a Node.js environment, making it hard to detect. Since Node.js is widely used by developers and often has elevated permissions, it provides an attractive entry point for attackers.
Once installed, ModStealer works as an infostealer, extracting valuable data from victims. It can access over 50 browser wallet extensions, including Safari, to steal crypto wallet private keys. Additionally, it can record clipboard activity, capture screenshots, and remotely execute malicious commands, giving cybercriminals near-total control over infected systems.
Stealth and Persistence
On macOS devices, ModStealer can integrate with the system’s launchctl tool to run automatically at startup, masking itself as a legitimate background process. Stolen data is transmitted to remote servers in Europe, with routing designed to conceal the attackers’ true locations.
Why Developers Are Targeted
Developers are particularly vulnerable because they frequently handle access keys and other sensitive credentials. ModStealer’s ability to operate quietly in the background makes signature-based antivirus tools largely ineffective. Security experts advise adding multiple layers of protection and being cautious when downloading files or responding to suspicious job offers.
Growing Threats to Crypto Wallets
As cryptocurrency adoption expands globally, cybercriminals are finding increasingly sophisticated ways to target digital assets. ModStealer serves as a stark reminder of the importance of securing crypto wallets across all major operating systems.
