{"id":47159,"date":"2025-09-12T07:01:49","date_gmt":"2025-09-12T07:01:49","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=47159"},"modified":"2025-09-12T07:01:49","modified_gmt":"2025-09-12T07:01:49","slug":"this-invisible-modstealer-is-targeting-your-browser-based-crypto-wallets","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=47159","title":{"rendered":"This Invisible &#8216;ModStealer&#8217; is Targeting Your Browser-Based Crypto Wallets"},"content":{"rendered":"<div>\n<p>A new strain of malware purpose-built to steal crypto wallet data is slipping past every major antivirus engine, according to Apple device security firm Mosyle.<\/p>\n<p>Dubbed ModStealer, the infostealer has been live for nearly a month without detection by virus scanners. Mosyle researchers say the malware is being distributed through malicious recruiter ads targeting developers and uses a heavily obfuscated NodeJS script to bypass signature-based defenses.<\/p>\n<p>That means the malware\u2019s code has been scrambled and layered with tricks that make it unreadable to signature-based antivirus tools. Since these defenses rely on spotting recognizable code \u201cpatterns,\u201d the obfuscation hides them, allowing the script to execute without detection.<\/p>\n<p>In practice, this lets attackers slip malicious instructions into a system while bypassing traditional security scans that would usually catch simpler, unaltered code.<\/p>\n<p>Unlike most Mac-focused malware, ModStealer is cross-platform, hitting Windows and Linux environments as well. Its primary mission is that of data exfiltration, and the code is presumed to include pre-loaded instructions to target 56 browser wallet extensions designed to extract private keys, credentials, and certificates.<\/p>\n<p>The malware also supports clipboard hijacking, screen capture, and remote code execution, giving attackers the ability to seize near-total control of infected devices. On macOS, persistence is achieved via Apple\u2019s launching tool, embedding itself as a LaunchAgent.<\/p>\n<p>Mosyle states that the build aligns with the profile of \u201cMalware-as-a-Service,\u201d where developers sell ready-made tools to affiliates with limited technical expertise. The model has driven a surge in infostealers this year, with Jamf reporting a 28% rise in 2025 alone.<\/p>\n<p>The discovery comes on the heels of recent npm-focused attacks where malicious packages like colortoolsv2 and mimelib2 used Ethereum smart contracts to conceal second-stage malware. In both cases, attackers leveraged obfuscation and trusted developer infrastructure to bypass detection.<\/p>\n<p>ModStealer extends this pattern beyond package repositories, showing how cybercriminals are escalating their techniques across ecosystems to compromise developer environments and directly target crypto wallets.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new strain of malware purpose-built to steal crypto wallet data is slipping past every major antivirus engine, according to Apple device security firm Mosyle. Dubbed ModStealer, the infostealer has been live for nearly a month without detection by virus scanners. Mosyle researchers say the malware is being distributed through malicious recruiter ads targeting developers [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-47159","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/47159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=47159"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/47159\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=47159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=47159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=47159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}