New Malware Exploits Fake Job Ads to Hit Crypto Wallets on Windows, Mac, Linux

A newly discovered cross-platform malware dubbed ModStealer is slipping past antivirus systems and targeting crypto wallets on Windows, macOS, and Linux, according to researchers at Apple device security firm ￰0￱ Takeaways: ModStealer malware is evading antivirus detection and targeting crypto wallets across Windows, macOS, and ￰1￱ malware spreads via fake job ads and extracts private keys, credentials, and wallet ￰2￱ warn that ModStealer is part of a growing Malware-as-a-Service ￰3￱ has remained undetected by major antivirus engines since it was first uploaded to VirusTotal nearly a month ago, 9to5Mac reported on ￰4￱ malware is being distributed through fake job recruiter ads aimed at developers, a growing tactic among ￰5￱ Tricked into Running Malicious JavaScript File Victims are tricked into running a malicious JavaScript file written in NodeJS, which avoids detection by traditional signature-based ￰6￱ more basic infostealers, ModStealer comes loaded with features designed for stealth and ￰7￱ targets 56 browser-based crypto wallet extensions, including those on Safari, and is capable of extracting private keys, credentials, configuration files, and ￰8￱ and screen capture tools are also embedded, alongside remote code execution, which can give attackers near-total control of an infected ￰9￱ macOS, the malware uses Apple’s launchctl tool to gain persistence by embedding itself as a ￰10￱ there, it silently monitors activity and sends data to a remote server believed to be hosted in Finland but routed through German ￰11￱ paid ads Scam ads are seemingly-real ads on Twitter and Google that advertise fake giveaways and ￰12￱ goal is to trick you into connecting your wallet and signing malicious ￰13￱ use links in paid ads or search results to access airdrops! ￰14￱ — Phantom (@phantom) January 29, 2024 Researchers believe ModStealer is part of a growing Malware-as-a-Service (MaaS) ecosystem, where advanced malware packages are sold to affiliates who deploy them without needing technical ￰15￱ mirrors a wider trend in the cybercrime space: infostealers now dominate Mac malware, with Jamf reporting a 28% surge in such threats in 2025 ￰16￱ implications for crypto users are especially severe, given the malware’s focus on wallet extensions and sensitive blockchain credentials.

“This isn’t just a Mac issue anymore,” said Mosyle in a statement. “The cross-platform nature of ModStealer, combined with its stealth and MaaS distribution model, represents an evolving threat to developers, traders, and enterprises alike.” With its focus on evading antivirus systems, the campaign highlights the need for more advanced, behavior-based security ￰17￱ Loses $3M in Crypto Phishing Scam As reported, a cryptocurrency investor has fallen victim to a phishing scam , losing $3.05 million in Tether (USDT) after unknowingly signing a malicious blockchain ￰18￱ loss, flagged by blockchain analytics platform Lookonchain on Wednesday, underscores the rising threat of phishing attacks targeting digital asset ￰19￱ attacker exploited a common habit among crypto users: validating only the first and last few characters of a wallet address while ignoring the ￰20￱ investors lost over $2.2 billion to hacks , scams, and breaches in the first half of 2025, driven largely by wallet compromises and phishing attacks, according to CertiK’s latest security ￰21￱ breaches alone caused $1.7 billion in losses across just 34 incidents, while phishing scams accounted for over $410 million across 132 attacks.