Security researchers have uncovered ModStealer. It is a newly discovered malware that targets macOS, Windows, and Linux systems.
By going after private keys, browser wallets, and login credentials, the malware exposes both casual users and developers to serious financial risks.
How ModStealer Works
Apple-focused security firm Mosyle first detected the malware and reported that it went unnoticed by leading antivirus engines for nearly a month after being uploaded to VirusTotal, a widely used file analysis platform. According to Mosyle, ModStealer is built to extract sensitive data, including wallet keys, certificates, and browser extension files from Safari and Chromium-based browsers.
Researchers found that on macOS systems, ModStealer abuses background agent processes to persist even after a reboot. They traced its server infrastructure to Finland, with traffic routed through Germany to obscure its true operators. Even more concerning, attackers are distributing the malware. This is through fake job recruitment ads, a tactic that has recently surged in popularity among attackers targeting Web3 developers. Victims are tricked into downloading malicious “test tasks” that silently install the malware.
⚠️ A new virus ModStealer has been detected almost invisible to antivirus software and capable of stealing data from crypto wallets in browsers.
🔴 The malware spreads through fake job postings and disguises itself as a background service.
🔴 Works on Windows, Linux, and macOS,…— KiliaCryptoBD (@Kilia777Kolia) September 12, 2025
Once embedded, ModStealer operates in the background. It can log clipboard data, take screenshots, and execute remote commands. This wide range of capabilities gives attackers near-total access to a compromised system.
Why Developers and Investors Should Worry
Stephen Ajayi, technical lead at blockchain security firm Hacken, warned that these kinds of recruitment scams are becoming common. Speaking to Cointelegraph, he urged developers to vet recruiters and domains carefully. He suggested that users insist on sharing any assignments through public repositories. If necessary, opening them only in disposable virtual machines that contain no wallets, SSH keys, or password managers.
There’s reportedly a New malware called
ModStealer
its targeting crypto wallets onMac
Windows
and LinuxIt spreads through fake job ads and steals keys and extensions
Developers and users should stay alert
Verify recruiters and keep wallets separate from work… pic.twitter.com/Igg9nkgi3U
— Zygfrid🌎 (@ZygfridS) September 12, 2025
Ajayi also stressed the importance of separating work environments from wallet environments. In his words, a strict separation between the “dev box” and the “wallet box” is essential to avoid exposing digital assets to unnecessary risk.
Disclaimer
The information discussed by Altcoin Buzz is not financial advice. This is for educational, entertainment, and informational purposes only. Any information or strategies presented are the thoughts and opinions of the writer/reviewers, and their risk tolerance may differ from yours. We are not responsible for any losses you may incur due to any investments directly or indirectly related to the information provided. Bitcoin and other cryptocurrencies are high-risk investments; therefore, please conduct your due diligence. Copyright Altcoin Buzz Pte Ltd.
The post New ModStealer Virus Puts Crypto Wallets at Risk appeared first on Altcoin Buzz.
