Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Newly Discovered PamStealer Malware: A Sophisticated Infostealer for macOS Devices


PamStealer is a highly sophisticated macOS malware that combines clever tradecrafts to infect Mac devices with stealthy, custom-developed credential-stealing code. Its unique delivery surface and Rust-based second stage make it stand out in the evolving landscape of macOS infostealers.

  • PamStealer is a novel piece of malware designed specifically to target Mac devices.
  • The malware is delivered in two stages and incorporates several innovative techniques to infect systems with stealthy, custom-developed credential-stealing code.
  • It uses a self-contained JXA dropper and a Rust-based second stage to achieve its objectives.
  • PamStealer validates target credentials through PAM before sending them to an attacker-controlled server.
  • The malware displays a decoy message if validation fails, disguising its true intentions as a failed installation attempt.
  • It requests full disk access to maximize information it can steal and contains code designed to access Ethereum accounts.



  • The cybersecurity landscape has recently witnessed a significant development with the discovery of a novel piece of malware designed specifically to target Mac devices. Dubbed "PamStealer," this malware is not your typical macOS infostealer, as it incorporates several innovative and clever tradecrafts to infect systems with stealthy, custom-developed credential-stealing code.

    The malware is delivered in two stages, with the first stage being a disk image that masquerades as a legitimate clipboard manager called Maccy. When a user double-clicks this image, they are prompted to press Command-R immediately after opening it in the Script Editor. This command executes malicious code inside the AppleScript directly and allows it to bypass macOS's quarantine attribute.

    PamStealer combines several noteworthy techniques to achieve its objectives, including:

    1. **Use of a Self-Contained JXA Dropper**: The malware employs a self-contained JavaScript for Automation (JXA) dropper that retrieves and stages the payload using native Objective-C APIs. This technique allows PamStealer to execute its malicious functionality more stealthily.

    2. **Rust-Based Second Stage**: Unlike most macOS infostealers, which typically use languages like Swift, Go, or Objective-C, PamStealer's second stage is written in Rust. This uncommon choice introduces an additional layer of complexity and sophistication into the malware.

    3. **Local Validation of Credentials through PAM**: The malware uses the Pluggable Authentication Modules (PAM) interface to validate the target's login password locally before sending it to an attacker-controlled server. This approach reduces the amount of network traffic generated by the malware, making it harder for security systems to detect.

    4. **Decoy Technique**: If the validation fails, PamStealer displays a message stating that the file is damaged and cannot be installed, effectively disguising its true intentions as a failed installation attempt.

    5. **Requesting Full Disk Access**: The malware uses tactics to maximize the information it can steal by requesting the target grant full disk access to the fake Maccy app.

    6. **Code Designed to Access Ethereum Accounts**: PamStealer contains code designed to access ethereum accounts, further expanding its capabilities as an infostealer.

    In conclusion, PamStealer represents a significant advancement in macOS malware, showcasing sophisticated techniques that make it harder for security systems to detect and remove. As commodity macOS stealers continue to evolve with quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features, users must remain vigilant against such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Newly-Discovered-PamStealer-Malware-A-Sophisticated-Infostealer-for-macOS-Devices-ehn.shtml

  • https://arstechnica.com/security/2026/07/new-pamstealer-macos-malware-uses-clever-tradecraft-to-remain-stealthy/


  • Published: Thu Jul 2 16:44:47 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us