The virus spreads through fake job ads and has been hiding from antivirus software for a month

ModStealer: new malware threatens crypto wallets on all platforms

12.09.2025 - 08:55

341

3 min

Key points:

  • Mosyle researchers have discovered the ModStealer virus, which has been bypassing antivirus systems for a month.
  • The malware spreads through fake job ads and attacks browser wallets.
  • ModStealer steals keys, seed phrases, and certificates, threatening direct loss of assets.

The new ModStealer malware poses a serious threat to crypto wallet users. According to Mosyle, the virus targets Windows, macOS, and Linux, evading standard antivirus checks and hiding within the system.

How ModStealer works

ModStealer spreads through fake recruiter ads targeting developers. The installation file contains a complex NodeJS script that helps hide the malicious code from antivirus programs.

The virus targets 56 popular browser-based crypto wallets, searching for and stealing private keys, seed phrases, logins, passwords, and digital certificates. All stolen data is sent to servers controlled by hackers.

Why is this virus dangerous?

In addition to stealing data, ModStealer can intercept clipboards, take screenshots, and execute remote commands. This gives attackers almost complete control over the victim’s device.

“ModStealer evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” noted Shān Zhang, chief information security officer at Slowmist.

Researchers claim that the virus was created based on the Malware-as-a-Service model: even inexperienced hackers can use it. According to Jamf, the number of such users grew by 28% in 2025.

Recent incidents confirm that attacks on the crypto community are becoming increasingly sophisticated. On September 2, 2025, a Venus Protocol user lost about $13 million due to a fake Zoom link, although the funds were later recovered.

How a Venus Protocol user was hacked and why $13 million was recovered

How a Venus Protocol user was hacked and why $13 million was recovered

The scammer carried out a complex attack using social engineering techniques and hacking a browser extension

Read more

And on September 8, hackers carried out the largest attack on the NPM infrastructure, injecting malicious code into packages used in crypto wallets and services. These episodes show that vulnerabilities in the software environment directly affect the security of digital assets.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy