ModStealer Malware Evades Detection, Targets Crypto Wallets

A newly identified malware called ModStealer is actively targeting cryptocurrency users by stealing data from browser-based wallet extensions on computers running Windows, Linux, and macOS. The malware was discovered in early September after operating undetected for nearly a month and is distributed using fake job recruiter ads designed to reach developers.

According to security company Mosyle, the malware is spread through misleading advertisements that specifically target developers likely to have Node.js environments already set up. These ads contain obfuscated code, helping ModStealer avoid being flagged by most major antivirus tools. Once downloaded, the malware searches the infected system for browser wallet extensions, login credentials, and digital certificates.

Shān Zhang, the chief information security officer at blockchain security group Slowmist, stated to Decrypt that ModStealer works across multiple operating systems and “evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem.” Once running, ModStealer sends all stolen information to command and control (C2) servers operated by attackers. C2 servers are systems cybercriminals use to coordinate and manage malware activities remotely.

On macOS devices, ModStealer persists by setting itself up as a background helper application that launches on startup. Signs of infection include the presence of a hidden file named “.sysupdater.dat” and unusual connections to suspicious servers. Zhang explained that its use of common persistence methods combined with strong code obfuscation help it remain undetected by signature-based security tools.

This discovery comes just after Ledger CTO Charles Guillemet warned of another breach involving an NPM developer account compromise that could have replaced crypto wallet addresses in user transactions. Although that attack was stopped early, Guillemet said packages had been set up to target Ethereum, Solana, and other blockchains.

Zhang cautioned that “private keys, seed phrases, and exchange API keys may be compromised, resulting in direct asset loss” for users. For the industry, he added, “mass theft of browser extension wallet data could trigger large-scale on-chain exploits.”

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Albania Appoints AI Bot “Diella” as Cabinet Minister to Fight Corruption
• Chainlink (LINK) Eyes $30 as Whale Activity Surges, Bullish Trend
• Dogecoin Surges 20% as Treasury Buys $125M, ETF Launches Friday
• XRP Eyes $250B Market Cap as SEC Lawsuit Ends, ETF Hopes Rise
• Saylor’s STRK Omitted as Strategy Lists Options for Other Shares