A newly identified malware strain named ModStealer has emerged as a significant threat to browser-based cryptocurrency wallets, leveraging sophisticated obfuscation techniques to bypass signature-based antivirus defenses. Security researchers at Mosyle reported that ModStealer has remained undetected for nearly a month while actively targeting wallet extensions across major operating systems, including Windows, Linux, and macOS.
ModStealer’s primary distribution vector involves malicious job recruitment advertisements that lure developers into downloading infected payloads. Once executed, the malware employs heavily obfuscated NodeJS scripts that elude traditional antivirus engines by hiding recognizable code patterns. Execution begins with dynamic unpacking routines that reconstruct the core exfiltration module in memory, minimizing disk footprint and forensic indicators of compromise.
The code includes preconfigured instructions to search for and extract credentials from 56 distinct browser wallet extensions, including popular wallets supporting Bitcoin, Ethereum, Solana, and other major blockchains. Private keys, credential databases, and digital certificates are copied to a local staging directory before being exfiltrated to command-and-control servers via encrypted HTTPS channels. Clipboard hijacking functions enable interception of wallet addresses, redirecting asset transfers to attacker-controlled addresses in real time.
Beyond credential theft, ModStealer supports optional modules for system reconnaissance, screen capture, and remote code execution. On macOS, implantation leverages the LaunchAgents mechanism to achieve persistence, while Windows and Linux variants utilize scheduled tasks and cron jobs, respectively. The malware’s modular architecture allows affiliates to tailor functionality based on target environment and desired payload capabilities.
Mosyle analysts classify ModStealer as Malware-as-a-Service, indicating that affiliate operators pay for access to build and deployment infrastructure, lowering the barrier to entry for less technically proficient threat actors. The surge in infostealer variants this year, up 28% compared to 2024, underscores a growing trend of commoditized malware being used against high-value targets in the cryptocurrency ecosystem.
Mitigation strategies recommended by security teams include enforcing strict email and web filtering policies to block malicious ad networks, deploying behavior-based threat detection solutions, and disabling auto-execution of untrusted NodeJS scripts. Users of browser wallets are advised to verify extension integrity, maintain up-to-date backups of seed phrases stored offline, and consider hardware wallet solutions for large-value holdings.
Ongoing monitoring of traffic patterns for anomalous outbound connections to unfamiliar domains can aid in early detection of data exfiltration attempts. Coordination between wallet developers, browser vendors, and security firms will be essential to develop signature and behavior-based signatures capable of intercepting ModStealer’s obfuscation layers and preventing further wallet compromise.
.
Comments (0)