ModStealer steals crypto wallet data on all OS
Researchers at Mosyle, a company specializing in Apple device cybersecurity, discovered new malware called ModStealer, designed to steal crypto wallet data on macOS, Windows, and Linux.
This malware targets Web3 users and is primarily distributed through phishing emails with job openings and work proposals on Telegram and Discord. After passing the initial screening, the victim receives a file disguised as a test assignment, which, once launched, deploys the malicious code on the device.
ModStealer is technically implemented with multi-platform support by using obfuscated JavaScript scripts on Node.js, which complicates detection during the download phase.
On macOS, the malware registers as a LaunchAgent via launchctl, ensuring its automatic launch and hidden background operation. On Windows and Linux, it relies on standard privilege escalation and autostart methods. Once active, the malware scans the system for browser wallet extensions, private keys, cookies, certificates, and other sensitive data. Mosyle reports that it can harvest information from more than 50 sources, including popular browsers such as Safari. In addition, ModStealer can take screenshots, intercept clipboard content, and execute remote commands.
Stolen data is transmitted to a remote server with a distributed infrastructure partially disguised as legitimate hosting, making it difficult to trace the operators. According to Mosyle, the first ModStealer samples remained undetected by antivirus tools for almost a month: they were uploaded to VirusTotal, but no signatures were triggered at the time.
To minimize risks, users of mobile crypto wallets are advised to work in isolated environments when testing suspicious projects, not store private keys and seed phrases on their smartphones, and use hardware wallets for asset management.
Users are urged to maintain digital hygiene and avoid downloading software from unverified sources, even if it is presented as part of a legitimate collaboration offer.
Previously, GNcrypto reported that iPhone 17 introduced built-in basic protection to prevent zero-day attacks and the theft of crypto assets.
