It’s not every day you hear about a piece of malware that slips past just about every major antivirus out there. But that’s exactly what happened with a new strain discovered last Thursday. Dubbed ModStealer, it’s been quietly stealing data from crypto wallets on Windows, Linux, and macOS—and it went undetected for nearly a month.
The news came from security firm Mosyle, according to an initial report by 9to5Mac. The malware was being distributed through fake job recruiter ads, a tactic that seems pretty intentional. Why target developers? Well, they’re more likely to have Node.js environments already set up, which made the delivery that much easier.
How ModStealer Works
Once it gets into a system, ModStealer starts scanning for browser-based crypto wallet extensions, system credentials, and digital certificates. It’s not exactly subtle, but it doesn’t need to be if no one catches it.
Shān Zhang, chief information security officer at blockchain security firm Slowmist, broke it down for us. He said ModStealer “evades detection by mainstream antivirus solutions,” which is a fancy way of saying it’s really good at hiding. Unlike traditional stealers, this one supports multiple platforms and has what he calls a “stealthy ‘zero-detection’ execution chain.” Not great news for anyone.
After it collects what it needs, it sends the data off to remote C2 servers. For those not up on the jargon, a C2 server is basically a command center that cybercriminals use to control infected devices.
Staying Hidden on macOS
On Apple machines, the malware sets itself up to run automatically every time the computer starts. It disguises itself as a background helper program—so it just keeps running quietly without tipping anyone off. Signs you might be infected? Look for a hidden file named “.sysupdater.dat” and any weird connections to a suspicious server.
Zhang pointed out that while these methods aren’t new on their own, the combination with strong obfuscation makes ModStealer tough for signature-based security tools to catch. It’s built to last.
A Wider Pattern of Threats
This discovery feels like part of a bigger trend. Just this Tuesday, Ledger’s CTO Charles Guillemet warned that attackers had compromised an NPM developer account. They tried to spread malicious code that could silently replace crypto wallet addresses during transactions. Luckily, that attack was caught early and didn’t succeed—but it was hooked to Ethereum, Solana, and other chains.
Guillemet didn’t mince words. He tweeted that if your funds are in a software wallet or on an exchange, you’re “one code execution away from losing everything.” Harsh, but probably true.
When asked about the possible impact of ModStealer, Zhang didn’t sound optimistic. For users, private keys, seed phrases, and exchange API keys could be compromised, leading to direct loss of assets. For the industry, large-scale theft could trigger bigger on-chain exploits and just erode trust overall. It’s a sobering thought—and a reminder to stay cautious out there.
