IT Home September 12th news, technology media 9to5Mac released a blog post yesterday (September 11th), reporting that Apple device management and security company Mosyle's latest cross-platform information stealing malware named "ModStealer". Since it appeared in VirusTotal a month ago, it has not been discovered by any mainstream antivirus engine.
ModStealer is not only aimed at macOS, but also runs on Windows and Linux systems. Its core purpose is to steal data, especially cryptocurrency wallets, account credentials, configuration files and certificates. The researchers found that the malware has built-in code for 56 browser wallet extensions, including Safari, to directly obtain private keys and sensitive account information.
According to analysis, ModStealer induces targets to download malicious files by forging advertisements to recruit developers. The attack payload is a highly obfuscated Javascript file (based on NodeJS), which can bypass all feature code-based defense tools. This cross-platform feature means that more businesses and individuals may be affected, with a threat far exceeding Mac users.
In addition to data theft, ModStealer can also intercept the clipboard and screen and execute remote code. The remote code execution function is particularly dangerous, which may give attackers almost complete control of infected devices. On macOS, it uses Apple's launchctl tool to implant itself as a LaunchAgent to achieve long-term hidden residency.
Mosyle's investigation also traces that the servers that stole data are located in Finland, but the relevant infrastructure is related to Germany and is suspected to be used to cover up the attacker's real location.
Combining functional characteristics and dissemination methods, Mosyle believes that ModStealer complies with the "malware as a service" model, that is, developers package malicious programs to "franchises" without technical background, who can customize the attack targets themselves.
IT Home cited a blog post that Jamf reported earlier this year that the number of information-theft malware surged to 28%, making it the main type in the Mac malware family in 2025.
