A new load of malware-specially built to steal crypto-tegging data slides past any major antivirus engine, according to the Apple Device Security Firm Mosyle.
InfoTeals, called Moderteals, have been live for almost a month without detection of virus scanners. MOSYLE researchers say malware is distributed through malicious recruitment ads aimed at developers and use a strongly obfuscated NODEJS script to bypass signature-based defense.
This means that Malware’s code has been encrypted and layered with tricks that make it illegible to signature -based antivirus tools. Since these defense depends on discovering recognizable code “patterns”, the veil hides them, allowing the script to perform without detection.
In practice, this attackers let the malicious instructions in a system while bypassing traditional security scans that will usually capture simpler, unchanged code.
Unlike most Mac-focused malware, counterteals are also cross-platform, hits Windows and Linux environments. Its primary mission is the data feature, and the code is assumed to include pre-read instructions for targeting 56 browser-egg extensions designed to extract private keys, credentials and certificates.
Malware also supports the clipboard hijacking, shooting screen and remote code execution, giving attackers the ability to seize almost total control of infected devices. On MacOs, Persistence is obtained via Apple’s launch tool that is embedded as a starting agent.
Mosyle says the building is in line with the profile of “Malware-as-A-Service”, where developers sell ready-made tools to affiliated companies with limited technical expertise. The model has driven an increase in infosteals this year, with Jamf reporting an increase of 28% alone by 2025.
The discovery comes on the heels of the recent NPM-focused attacks, with malicious packages such as Colortoolsv2 and Mimelib2 used Ethereum-smart contracts to hide malware in the second phase. In both cases, attackers exploited the obscurity and trusted developer infrastructure to bypass detection.
Moderteals extend this pattern beyond parcel storage locations showing how cyber criminals escalate their techniques across ecosystems to compromise developer environments and directly target crypto cartoons.
