ModStealer: The New Stealth Malware That Bypasses Antivirus

by ddos · September 17, 2025

Experts at Mosyle have uncovered a new strain of malware, named ModStealer, which has proven entirely invisible to antivirus solutions. The program was first uploaded to VirusTotal nearly a month ago without triggering a single detection, underscoring its stealth. Its danger is magnified by the fact that it can infect systems running macOS, Windows, and Linux.

The malware spreads through fraudulent job recruitment ads, specifically targeting developers. Victims are lured into clicking a link that delivers heavily obfuscated JavaScript code written in NodeJS—a method that renders the program undetectable to traditional signature-based defenses.

The primary goal of ModStealer is data theft. Its developers built in capabilities to extract information from cryptocurrency wallets, credential files, configuration parameters, and digital certificates. Preconfigured attacks against 56 browser wallet extensions, including Safari, allow the malware to steal private keys and other sensitive data.

Beyond credential theft, ModStealer can intercept clipboard contents, capture screenshots, and execute arbitrary code on an infected system. This final capability effectively grants attackers full control over compromised devices. On macOS, persistence is achieved using the built-in launchctl tool: the malware registers itself as a LaunchAgent, silently monitoring user activity while exfiltrating stolen data to a remote server. Mosyle’s investigation revealed that this server is located in Finland, though it relies on infrastructure in Germany—likely an effort to mask the operators’ true location.

According to researchers, ModStealer is distributed under a RaaS (Ransomware-as-a-Service) model, whereby developers package the malware into turnkey kits and sell them to clients who may lack advanced technical skills but can still mount sophisticated attacks. This model has surged in popularity among criminal groups, particularly in the distribution of information stealers.

Mosyle warns that the discovery of ModStealer highlights the shortcomings of traditional antivirus software, which cannot adequately respond to such threats. Effective defense, they argue, requires continuous monitoring, behavioral analysis, and greater user awareness of evolving attack techniques.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal