ModStealer: Stealthy Malware Steals Private Keys and Wallet Data Across Platforms

ModStealer Malware Uses Fake Job Ads to Hack Crypto Wallets on All Major OS

ModStealer – A dangerous new malware strain capable of bypassing antivirus checks and stealing crypto wallet data across Windows, Linux, and macOS has been uncovered. The malware, named ModStealer, poses a direct threat to both individual users and the broader digital asset ecosystem, according to cybersecurity experts.

Delivered Through Fake Job Ads

First disclosed by security firm Mosyle and reported by 9to5Mac, ModStealer had been active for almost a month before being detected. It spread through fake job recruiter ads targeting developers—a calculated strategy, since many developers already use Node.js environments, making them more susceptible to installation.

“ModStealer evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” said Shān Zhang, Chief Information Security Officer at blockchain security firm Slowmist. Unlike traditional malware, ModStealer supports multiple platforms and uses a stealthy “zero-detection” execution chain.

How ModStealer Works

Once executed, the malware scans devices for browser-based wallet extensions, system credentials, and digital certificates, before transmitting the stolen data to Command and Control (C2) servers operated by attackers.

Browse Posts

Bitcoin and Ethereum Options Worth $4 Billion Set to Expire This Friday

JPMorgan Predicts a New Era: Strategy Now Sets the Trend

Italy Warns Crypto Firms to Meet MiCA Compliance by Dec. 30, 2025

HBAR Shows Early Signs of Momentum Shift

On macOS devices, ModStealer sets up persistence by disguising itself as a background helper program, allowing it to launch automatically each time the system starts. Signs of infection include a hidden file named “.sysupdater.dat” and connections to suspicious servers.

Zhang noted that ModStealer’s combination of persistence and obfuscation techniques makes it particularly resilient against signature-based antivirus tools.

Industry-Wide Warnings

The discovery follows a separate warning from Ledger CTO Charles Guillemet, who revealed this week that attackers compromised an NPM developer account to distribute malicious code aimed at replacing wallet addresses during transactions. Although detected early, the attempt targeted Ethereum, Solana, and other blockchains.

Zhang warned that ModStealer represents a direct threat to crypto users, with risks ranging from stolen private keys and seed phrases to compromised exchange API keys. For the industry at large, widespread wallet data theft could trigger large-scale exploits and increase supply chain risks.