Overview

• Mosyle disclosed the cross-platform NodeJS infostealer on Thursday, reporting it had evaded all major antivirus engines for nearly a month after first appearing on VirusTotal.
• Attackers deliver ModStealer through fake recruiter ads that target developers likely to have Node.js environments, using heavily obfuscated JavaScript to defeat signature-based defenses.
• The malware is preloaded to target 56 browser wallet extensions and also seeks credentials and certificates, with capabilities for clipboard hijacking, screen capture, and remote code execution.
• On macOS it persists by abusing launchctl as a LaunchAgent, and exfiltrated data is sent to infrastructure Mosyle links to a server in Finland tied to resources in Germany.
• Indicators of compromise include SHA256 8195148d1f697539e206a3db1018d3f2d6daf61a207c71a93ec659697d219e84, filename ".sysupdater.dat," and C2 IP 95.217.121.184; researchers say the build aligns with a Malware-as-a-Service model and Slowmist warns of significant risk to crypto users.