A newly discovered malware strain called ModStealer has the capacity to bypass antivirus software and steal data from cryptocurrency wallets across Windows, Linux, and macOS operating systems.
The malware was revealed Thursday and initially reported by 9to5Mac, based on information from security firm Mosyle.
ModStealer cryptocurrency malware operated undetected for nearly one month
ModStealer had been operational for nearly a month before detection, remaining hidden from prominent antivirus engines during this period. The malware spreads through deceptive job recruiter advertisements specifically targeting software developers.
Mosyle indicated this distribution method ensures the malware reaches individuals likely to have Node.js environments installed, making them prime targets for cryptocurrency-related attacks.
Multi-platform support enables widespread targeting
Shān Zhang, chief information security officer at blockchain security firm Slowmist, stated that ModStealer “evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem.”
Zhang noted that “Unlike traditional stealers, ModStealer stands out for its multi-platform support and stealthy ‘zero-detection’ execution chain,” enabling attacks across multiple operating systems simultaneously.
Comprehensive system scanning targets crypto assets
After execution, ModStealer initiates a thorough scan of infected systems, searching for browser-based cryptocurrency wallet extensions, system credentials, and digital certificates. On macOS systems, the malware employs a persistence mechanism by masquerading as a background helper program.
This persistence ensures automatic execution upon system startup, maintaining continuous operation without user intervention or awareness.
How to detect potential ModStealer infections
Users can identify possible ModStealer infections by checking for these indicators:
- Hidden file named “.sysupdater.dat” on the system,
- Outbound network connections to suspicious or unknown servers,
- Unexpected background processes running at startup,
- Unusual cryptocurrency wallet extension behavior,
- Unauthorized access attempts to digital certificates.
Zhang explained that “Although common in isolation, these persistence methods combined with strong obfuscation make ModStealer resilient against signature-based security tools.”
Direct threat to cryptocurrency users and platforms
Zhang emphasized ModStealer’s potential impact on individual users and the broader cryptocurrency ecosystem. For individual users, “private keys, seed phrases, and exchange API keys may be compromised, resulting in direct asset loss.”
For the cryptocurrency industry, Zhang warned that “mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust and amplifying supply chain risks.”
How to protect cryptocurrency wallets from ModStealer
Cryptocurrency users can implement these protective measures:
- Use hardware wallets instead of browser extensions for significant holdings,
- Enable multi-factor authentication on all cryptocurrency accounts,
- Regularly update antivirus software and enable real-time scanning,
- Avoid clicking suspicious job recruitment advertisements,
- Monitor system startup processes for unauthorized applications,
- Backup seed phrases offline in secure physical locations,
- Use separate devices for cryptocurrency transactions when possible.
