Security researchers at Jamf Threat Labs have identified a new macOS information stealer named PamStealer that uses deceptive distribution methods and system level authentication abuse to harvest sensitive user data, including login passwords. The malware is being distributed through a multi stage infection chain that begins with a compiled AppleScript file disguised as a legitimate version of Maccy, an open source clipboard manager. Researchers explained that the stealer derives its name from its unusual ability to validate victim login credentials using macOS Pluggable Authentication Modules before exfiltrating them, allowing it to confirm password accuracy directly on the compromised system. The attack is delivered through a disk image containing a staged AppleScript payload that initiates the infection process and prepares the system for a secondary Rust based infostealer component responsible for broader data theft and persistence.
The initial access vector for PamStealer involves a fake website impersonating the legitimate Maccy project, specifically using domains such as maccyapp[.]com to resemble the official maccy[.]app site. The downloaded disk image contains a file named Maccy.scpt, which executes a JavaScript for Automation downloader that retrieves the next stage payload using native Objective C APIs. Researchers observed that when the script is opened through Script Editor, it provides instructions that encourage execution using keyboard shortcuts or the Run button, effectively guiding users into activating malicious code embedded deep within the file structure. The script is also designed to remain functional even when macOS quarantine attributes are present, allowing it to bypass some of the platform’s security restrictions. Security analysts noted that this approach leverages user interaction combined with native macOS tooling to create a quieter execution path compared to typical commodity macOS malware.
PamStealer includes multiple environment aware checks that allow execution only after validating system conditions. The AppleScript component performs host fingerprinting and determines whether the system is running on Apple Silicon before continuing execution. It derives an encryption key based on system attributes such as CPU architecture, locale, keyboard layout, and time zone, which is then used to decrypt configuration data containing payload URLs and installation paths. On Intel based systems, the derived key fails validation, preventing execution of the payload. The malware also includes anti analysis logic that avoids execution in sandboxed environments and terminates if system locale, keyboard input, or time zone indicates regions in Eastern Europe, including Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. Once these checks are passed, the malware downloads a Rust compiled Mach O binary masquerading as Finder, which is responsible for harvesting browser data, cryptocurrency wallet extensions, iCloud Keychain entries, and clipboard content, before encrypting and exfiltrating it to attacker controlled infrastructure at avenger-sync[.]live.
The Rust based payload extends the malware’s capabilities by introducing a password capture mechanism that requests the user’s macOS system password through a native prompt and validates it locally using PAM API. If the password is incorrect, the prompt repeats until the correct credential is entered, ensuring successful theft of valid login data. Once obtained, the malware triggers a decoy alert mimicking a Gatekeeper warning stating that Maccy is damaged and cannot be opened and should be moved to Trash, while the malicious activity has already been completed in the background. The payload also includes a persistence module disguised as macOS System Settings in a small arm64 Mach O binary, ensuring continued access to the compromised system. Developers of the legitimate Maccy application have issued warnings about fake websites distributing malware, emphasizing that only maccy[.]app is the official source. Security researchers noted that PamStealer reflects an ongoing trend in macOS malware development where attackers increasingly rely on native execution chains, Rust based components, and reduced visible system interaction to evade detection while maintaining full credential theft and data exfiltration capabilities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.