"Malware-as-a-Service Enables Cybercrime for the Non-Technical"

A new cross-platform malware, identified as ModStealer, has been uncovered by cybersecurity firm Mosyle, with the malware remaining undetected by major antivirus platforms since its emergence on VirusTotal nearly a month ago. The malware, which bypasses signature-based detection methods, is specifically designed to exfiltrate data, including cryptocurrency wallet credentials and private keys. It targets 56 browser wallet extensions, including Safari, and operates across macOS, Windows, and Linux environments.

Mosyle’s analysis indicates that ModStealer is delivered through malicious job recruitment advertisements, primarily targeting developers. The malware employs heavily obfuscated JavaScript code written in NodeJS, which helps it remain invisible to traditional antivirus tools. Once installed, ModStealer leverages Apple’s launchctl tool on macOS to achieve persistence, embedding itself as a LaunchAgent. From there, it quietly monitors system activity and transmits sensitive data to a remote server. The server, located in Finland and linked to infrastructure in Germany, is believed to be used to obscure the operators' true location.

The malware also includes capabilities for clipboard and screen capture, with the most concerning feature being remote code execution, which could allow attackers to gain full control over infected systems. Researchers highlight that the stealth and cross-platform nature of ModStealer make it particularly dangerous, as it can evade traditional defenses and operate undetected for extended periods.

Mosyle suspects that ModStealer operates under the Malware-as-a-Service (MaaS) model, where cybercriminal developers sell ready-made malware packages to less technically skilled affiliates. This business model has seen an increase in recent years, particularly in the distribution of infostealers. According to Mosyle, the MaaS model enables even non-technical actors to launch sophisticated cyberattacks. Earlier in 2025, JamfJAMF-- reported a 28% increase in infostealer malware, which has now become the leading Mac malware family.

In response to the discovery, Mosyle urges organizations and individuals to move beyond signature-based security solutions. The company emphasizes the importance of continuous monitoring, behavior-based detection systems, and increased awareness of emerging threats to combat evolving cyber risks. Security professionals are advised to remain vigilant, especially when handling suspicious email attachments or visiting unverified websites, as these are common vectors for such malware.