Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label undetectable malware. Show all posts
undetectable malware
Apple device security cross-platform infostealer Mac Malware macOS malware 2025 malware ModStealer Mosyle security undetectable malware

New Cross-Platform Malware ‘ModStealer’ Targets macOS, Windows, and Linux Users

 

After cautioning 9to5Mac last month about undetectable Mac malware hidden in a fake PDF converter site, Mosyle—an Apple device management and security firm—has revealed another dangerous threat. The newly discovered malware, named ModStealer, has gone unnoticed by major antivirus tools since it first surfaced on VirusTotal nearly a month ago.

In an exclusive briefing with 9to5Mac, Mosyle explained that ModStealer is not limited to macOS. Instead, it is a cross-platform infostealer designed with a single purpose: stealing sensitive data.

According to Mosyle’s research, attackers are distributing ModStealer through malicious job recruiter ads aimed at developers. The malware leverages a heavily obfuscated JavaScript file built with NodeJS, making it invisible to signature-based security systems. It threatens not just Mac users but also Windows and Linux environments.

The primary mission of ModStealer is data exfiltration. It specifically targets cryptocurrency wallets, login credentials, system configuration files, and digital certificates. Mosyle uncovered code tailored to 56 different browser wallet extensions—including Safari—designed to harvest private keys and other confidential account information.

Beyond data theft, ModStealer can perform clipboard hijacking, screen capturing, and even remote code execution. While the first two are already dangerous, the latter grants attackers nearly full control of compromised systems.

What makes this malware especially concerning is its stealth. Because signature-based tools fail to detect it, ModStealer can silently operate in the background. On macOS, it achieves persistence by exploiting Apple’s launchctl tool, embedding itself as a LaunchAgent to continuously monitor activities and send stolen information to a remote server. Mosyle traced the data server to Finland but found links to infrastructure in Germany, suggesting an attempt to disguise the attackers’ true location.

Mosyle also believes ModStealer may be offered as part of the growing Malware-as-a-Service (MaaS) industry, where cybercriminals develop malicious tools and sell them to affiliates with little technical expertise. These affiliates can then deploy the malware for their own objectives. This approach has become increasingly popular, especially for infostealers. Jamf previously reported a 28% rise in infostealer malware earlier this year, calling it the most common Mac malware family in 2025.

“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” Mosyle warns.
Read more »
Subscribe to: Posts (Atom)