ModStealer: new malware threatens crypto wallets on all platforms
The virus spreads through fake job ads and has been hiding from antivirus software for a month
12.09.2025 - 08:55
341
3 min
0
Key points:
- Mosyle researchers have discovered the ModStealer virus, which has been bypassing antivirus systems for a month.
- The malware spreads through fake job ads and attacks browser wallets.
- ModStealer steals keys, seed phrases, and certificates, threatening direct loss of assets.
The new ModStealer malware poses a serious threat to crypto wallet users. According to Mosyle, the virus targets Windows, macOS, and Linux, evading standard antivirus checks and hiding within the system.
How ModStealer works
ModStealer spreads through fake recruiter ads targeting developers. The installation file contains a complex NodeJS script that helps hide the malicious code from antivirus programs.
The virus targets 56 popular browser-based crypto wallets, searching for and stealing private keys, seed phrases, logins, passwords, and digital certificates. All stolen data is sent to servers controlled by hackers.
Why is this virus dangerous?
In addition to stealing data, ModStealer can intercept clipboards, take screenshots, and execute remote commands. This gives attackers almost complete control over the victim’s device.
“ModStealer evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” noted Shān Zhang, chief information security officer at Slowmist.
Researchers claim that the virus was created based on the Malware-as-a-Service model: even inexperienced hackers can use it. According to Jamf, the number of such users grew by 28% in 2025.
Recent incidents confirm that attacks on the crypto community are becoming increasingly sophisticated. On September 2, 2025, a Venus Protocol user lost about $13 million due to a fake Zoom link, although the funds were later recovered.
How a Venus Protocol user was hacked and why $13 million was recovered
The scammer carried out a complex attack using social engineering techniques and hacking a browser extension
And on September 8, hackers carried out the largest attack on the NPM infrastructure, injecting malicious code into packages used in crypto wallets and services. These episodes show that vulnerabilities in the software environment directly affect the security of digital assets.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Telegram
Twitter