Particle.news
Download on the App Store
6 ARTICLES
·
5d ago

ModStealer Infostealer Evades Antivirus to Plunder Crypto Wallets on Mac, Windows and Linux

Researchers say attackers seed the obfuscated NodeJS stealer via fake recruiter ads targeting developers.

This invisible 'modstealer' is targeting your browser based crypto wallets
Image
Modstealer malware bypasses antivirus, targets crypto wallets

Overview

  • Mosyle disclosed the cross-platform strain after it went nearly a month undetected on VirusTotal, describing it as purpose-built for data exfiltration.
  • Preloaded logic targets 56 browser wallet extensions, including Safari, to extract private keys, credentials, configuration details and certificates.
  • The malware supports clipboard and screen capture plus remote code execution, giving attackers near-complete control of compromised devices.
  • On macOS it persists by abusing launchctl as a LaunchAgent, with stolen data funneled to infrastructure appearing in Finland and tied to Germany.
  • Indicators of compromise include SHA256 8195148d1f697539e206a3db1018d3f2d6daf61a207c71a93ec659697d219e84, filename .sysupdater.dat and C2 IP 95.217.121.184, with experts warning of direct risk to crypto users and a likely Malware-as-a-Service model.