Redazione RHC : 15 September 2025 16:00
Mosyle has discovered a new malware program called ModStealer. The program is completely undetectable by antivirus solutions and was first uploaded to VirusTotal almost a month ago without any security measures activated. The danger is compounded by the fact that the malicious tool can infect computers running macOS, Windows, and Linux.
Distribution occurs via fake ads on behalf of recruiters looking for developers. The victim is asked to follow a link containing heavily obfuscated JavaScript code written in NodeJS. This approach makes the program invisible to signature-based solutions.
ModStealer is designed to steal data, and its developers initially integrated functionality to extract information from cryptocurrency wallets, credential files, configuration settings, and certificates. The code was discovered to be preconfigured to attack 56 browser wallet extensions, including Safari, allowing it to steal private keys and other sensitive information.
In addition to stealing data, ModStealer can intercept clipboard contents, take screenshots, and execute arbitrary code on the infected system. This latter capability effectively paves the way for attackers to gain full control over the device.
On Mac computers, the program is installed using the standard launchctl tool: it registers as LaunchAgent and can then secretly track user activity, sending stolen data to a remote server. Mosyle was able to determine that the server is located in Finland, but is connected to an infrastructure in Germany, which likely serves to mask the operators’ true location.
According to experts, ModStealer is distributed using the RaaS (Ransomware-as-a-Service) model. In this case, developers create a ready-made toolset and sell it to customers, who can use it for attacks without requiring in-depth technical knowledge. This scheme has become popular among criminal groups in recent years, especially for the distribution of infostealers.
According to Mosyle, the discovery of ModStealer highlights the vulnerability of traditional antivirus solutions, which are unable to respond to such threats. To protect against such threats, constant monitoring, analyzing program behavior, and raising user awareness of new attack methods are necessary.
Redazione