Cybercriminals have refined the art of digital invisibility, and their latest creation has been quietly looting cryptocurrency wallets for weeks. The sophisticated malware, identified as ModStealer by Apple security firm Mosyle, has gone undetected across Windows, Mac, and Linux systems for nearly a month, stealthily draining digital assets while evading detection by every major antivirus engine.
According to Mosyle, ModStealer has remained completely invisible to traditional antivirus software since it first emerged, highlighting a dangerous blind spot in current cybersecurity defenses. “This serves as a stark reminder that signature-based protections alone are not enough,” Mosyle representatives warned in a statement to media.
Fake Job Ads Spread the Virus
Criminals are spreading ModStealer through fake job postings that target computer programmers and software developers. When job seekers respond to these fraudulent advertisements, they receive infected files disguised as legitimate documents.
The virus uses advanced hiding techniques that completely fool traditional antivirus software. Security experts compare it to a master criminal wearing the perfect disguise to slip past guards.
Once installed, ModStealer immediately begins hunting for cryptocurrency wallets. Researchers discovered it can break into 56 different types of digital wallets, including those built into web browsers like Safari.
The malware doesn’t limit itself to stealing digital money. Security analysis reveals it can also capture screenshots, copy clipboard data, and execute remote commands that give criminals near-total control over infected computers.
On Mac systems, the virus exploits Apple’s own system tools to maintain a permanent presence, ensuring it survives computer restarts while remaining hidden from users.
ModStealer exploits gaps in cybersecurity
Mosyle researchers believe ModStealer represents a growing trend called “Malware-as-a-Service.” In this criminal business model, skilled hackers create ready-made viruses and sell them to less technical criminals.
This franchise approach has proven highly effective. Security firm Jamf reported that wallet-stealing malware increased by 28% in 2025, making it the most common type of Mac virus this year.
The criminals behind ModStealer operate across multiple countries to avoid detection. While they store stolen data on servers in Finland, investigators traced their internet traffic through Germany. This tactic is designed to confuse law enforcement.
The month-long invisibility period has exposed serious weaknesses in current cybersecurity defences. Experts now recommend that users and businesses adopt behaviour-monitoring security systems rather than relying solely on traditional antivirus software. Security professionals advise extreme caution when responding to unsolicited job offers and recommend keeping all security software updated.
