After warning 9to5Mac last month about undetectable Mac malware hidden in a fake PDF converter site, Mosyle, a leader in Apple device management and security, has now uncovered a new infostealer. Dubbed ModStealer, the malware has remained invisible to all major antivirus engines since first appearing on VirusTotal nearly a month ago.
In details shared exclusively with 9to5Mac, Mosyle says ModStealer doesn’t just target macOS systems, but is cross-platform and purpose-built for one thing: stealing data.
According to Mosyle’s analysis, ModStealer is being delivered to victims through malicious job recruiter ads targeting developers. It uses a heavily obfuscated JavaScript file written with NodeJS that remains completely undetectable by signature-based defenses. And this one isn’t just targeting Mac users either; Windows and Linux environments are also at risk.
The malware’s main purpose is data exfiltration, with a particular focus on cryptocurrency wallets, credential files, configuration details, and certificates. Mosyle found pre-loaded code targeting 56 different browser wallet extensions, including Safari, designed to extract private keys and sensitive account info.
The firm’s researchers also discovered that ModStealer is capable of clipboard capture, screen capture, and remote code execution. The first two are bad, but the latter can give attackers nearly complete control over infected devices.
What makes this discovery so alarming is the stealth with which ModStealer operates.
On macOS, the malware achieves persistence or a long-term undetectable presence on a victim’s Mac by abusing Apple’s own launchctl tool, embedding itself as a LaunchAgent. From there, it quietly monitors activity and exfiltrates sensitive information to a remote server. Mosyle researchers say the server hosting the stolen data appears to be in Finland but is tied to infrastructure in Germany, likely to mask the operators’ real location.
Mosyle believes the ModStealer fits the profile of Malware-as-a-Service (MaaS). This is where malware developers create and sell malicious packages to affiliates—those with little technical skills. Affiliates get the ready-made malware and can direct it to whatever they want.
This business model of sorts has been increasingly popular among cybercriminal gangs, especially in distributing infostealers like ModStealer. Earlier this year, Jamf reported a 28% spike in infostealer malware, making it the leading Mac malware family type in 2025.
“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” warns Mosyle.
Indicators of Compromise:
SHA256 hash: 8195148d1f697539e206a3db1018d3f2d6daf61a207c71a93ec659697d219e84
Filename: .sysupdater[.]dat
C2 server IP address: 95.217.121[.]184