Jamf Threat Labs Identifies PamStealer Malware Posing as Maccy App

Jamf Threat Labs identified a new Rust-based macOS infostealer called PamStealer that poses as the open-source clipboard manager Maccy. In a report published on Thursday, the cybersecurity firm said the campaign uses a fake website to distribute a malicious AppleScript file that can steal passwords and crypto wallet keys from Mac users. The malware validates victims' login passwords through macOS Pluggable Authentication Modules (PAM) before harvesting them, according to Jamf Threat Labs. The discovery reflects a broader trend of attackers disguising malware as legitimate software and abusing trusted developer platforms and advertising channels.

Jamf Threat Labs Discovers PamStealer Distribution Method

According to Jamf Threat Labs, the campaign uses a lookalike website to distribute a disk image containing a malicious AppleScript file named Maccy.scpt. When opened, the file displays instructions telling users to run it in Apple's Script Editor while hiding the malicious code further down the document.

"We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim's login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it," Jamf Threat Labs wrote in the report.

Jamf Threat Labs Director Jaron Bradley told Decrypt that attackers have been purchasing Google Ad space to lure users to malicious apps. "We have recently observed malicious ads being hosted on X as well," Bradley said. "These social engineering techniques have proven to be highly successful."

PamStealer Employs Advanced Evasion Techniques

The malware uses JavaScript for Automation and native macOS APIs to download a second-stage payload without relying on common shell utilities such as curl or zsh, reducing the number of processes security tools can observe.

According to the report, the second stage is a Rust-based binary designed for Apple Silicon Macs that disguises itself as Finder or Software Update. "Rather than storing its configuration in cleartext, the dropper derives a key from a fingerprint of the host—including its CPU architecture, locale, keyboard layout, and time zone—and uses it to unlock an encrypted, integrity-checked configuration containing the payload URL and installation path," the company said.

If the malware cannot verify that it is running on its intended target, it quietly shuts itself down.

Malware Capabilities Include Credential Theft and Persistence

Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, establish persistence, and send stolen information to a remote command-and-control server using encrypted communications.

The malware attempts to expand its access by displaying a fake Finder alert asking users to grant Full Disk Access. The prompt can appear up to 40 minutes after infection, making it less likely that users will associate it with the original download. If approved, the malware can access protected data, including Mail, Messages, and Time Machine backups.

According to Bradley, Jamf has not observed any evidence that PamStealer is active in the wild. The company notified Apple of its findings. Apple did not immediately respond to a request for comment by Decrypt.

Jamf Identifies Related X Platform Campaign

Jamf said it is seeing similar social engineering techniques spread to other platforms. In an X post last week, the company said it was investigating a sponsored advertisement on X promoting DynamicLake that redirected users to dynamicmacisland[.]com, where they were instructed to open Terminal and execute an installation command.

"The advertisement was delivered through a verified X account, adding another layer of trust to the social engineering," the firm wrote. "Analysis of the payload revealed a recent Atomic (MacSync) Stealer variant."

Discovery Reflects Broader Malware Trend

The findings come as attackers increasingly disguise malware as legitimate software and abuse trusted developer platforms and advertising channels. Recent campaigns have included a fake OpenAI repository that reached the top of Hugging Face's trending projects before distributing a Rust-based infostealer, a malicious Visual Studio Code extension that GitHub said exposed roughly 3,800 internal repositories, and the Shai-Hulud software supply-chain campaign targeting development tools used by AI companies including OpenAI and Mistral AI.

FAQ

What is PamStealer malware and how does it target Mac users?

PamStealer is a Rust-based macOS infostealer identified by Jamf Threat Labs that poses as the open-source clipboard manager Maccy. The malware is distributed through a fake website that delivers a malicious AppleScript file. It validates victims' login passwords through macOS Pluggable Authentication Modules (PAM) before stealing browser credentials, Keychain data, and monitoring clipboard contents.

How does PamStealer avoid detection by security tools?

According to Jamf Threat Labs, PamStealer uses JavaScript for Automation and native macOS APIs to download a second-stage payload without relying on common shell utilities such as curl or zsh, reducing the number of processes security tools can observe. The malware also derives a key from the host's fingerprint to unlock an encrypted configuration, and shuts itself down if it cannot verify it is running on its intended target.

Has Jamf observed PamStealer being used in active attacks?

According to Jamf Threat Labs Director Jaron Bradley, Jamf has not observed any evidence that PamStealer is active in the wild. The company notified Apple of its findings, but Apple did not immediately respond to a request for comment by Decrypt.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments