Beware: Invisible Crypto Browser Wallet Draining Malware Uncovered

Researchers at cybersecurity firm Mosyle have discovered a new malware strain that can avoid detection by antivirus programs on computers running Windows, Linux, and macOS and steal cryptocurrencies from browser-connected wallets.

The malware, called ModStealer, has been evading detection by major antivirus engines ever since it was first uploaded to VirusTotal nearly a month ago, and spreads through fake job recruiter ads. The researchers said it is part of a growing trend of using Malware-as-a-Service programs to target developers, where the packages are sold to affiliates who deploy them without requiring any technical expertise.

ModStealer Malware Undetectable by Anti-Virus Systems is Compromising Browser-based Crypto Wallets

The Mosyle report highlights that ModStealer is intentionally distributed through fraudulent job ads because it was specifically designed to reach developers who were likely to use or had NodeJS environments installed on their computers. It avoids detection by traditional signature-based antivirus systems.

ModStealer is a malicious JavaScript file written in NodeJS that comes loaded with features designed for stealth and scaling. Once executed, it scans for browser-based crypto wallet extensions and is capable of extracting private keys, system credentials, configuration files, and digital certificates. According to Mosyle, the malware is targeting 56 crypto browser wallets.

Furthermore, it is also embedded with clipboard and screen capture tools, alongside remote code execution, giving attackers near-total control of a compromised device. On macOS, the malware uses Apple’s “launchctl” tool to set up as a LaunchAgent through a persistence method to run automatically every time the computer starts by disguising itself as a background helper program.

From here, it quietly monitors users’ activity without them ever noticing its presence, sending data to a remote server that is believed to be hosted in Finland and routed through a German infrastructure. The infection can be identified if a secret file called “.sysupdater.dat” and connections to a suspicious server are found on the victim’s device.

ModStealer Operates From C2 Servers Hosted in Finland and Routed via Germany

Shan Zhang, chief information security officer at blockchain security firm Slowmist, warned that ModStealer evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem. He noted that, unlike traditional stealers, it stands out for its multi-platform support and stealthy ‘zero-detection’ execution chain.

The malware exfiltrates the data to remote C2 servers, also known as Command and Control servers, which are centralized systems used by cybercriminals to manage and control compromised devices in a network. The server acts as an operational hub for malware and cyberattacks.

Infostealer malware now dominates cyberattacks on Macs, with reports suggesting a 28% surge in such threats in 2025 alone. Mosyle said in a separate statement that the cross-platform nature of ModStealer, combined with its stealth and MaaS distribution model, makes it an evolving threat to developers, traders, and enterprises alike. The agency is urging the need for more advanced, behavior-based security solutions since the malware is capable of evading antivirus checks (arXiv Malware Research Papers).

Hacks, Scams, and Wallet Breaches have cost Crypto Users Over $2.2B in 2025

The discovery of ModStealer comes on the heels of a warning from Charles Guillemet, CTO of crypto hardware wallet firm Ledger, who disclosed last week that attackers had compromised an NPM developer account and attempted to spread malicious code that could quietly replace crypto wallet addresses during transactions, putting funds at risk across multiple blockchains.

Luckily, Ledger managed to detect and stop the attack before it progressed, but Guillemet noted that the compromised packages had been hooked to Ethereum and Solana, among other chains. He warned his followers on X that if their funds sit in a software-based wallet or an exchange, they are one code execution away from “losing everything”.

Meanwhile, Zhang said that ModStealer poses a “direct threat” to crypto users and platforms, as their private keys, seed phrases, and exchange API keys may be compromised. He added that a mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust in the crypto industry while amplifying supply chain risks.

Since the beginning of 2025, crypto users have lost over $2.2 billion to hacks, scams, and breaches, largely driven by wallet compromises and phishing attacks, as per Certik’s latest security report. Wallet breaches alone have cost users $1.7 billion in losses, while phishing attacks accounted for over $410 million of the total.

Also Read: The Safest Cryptocurrency Wallets in 2025