New PamStealer Malware Mimics Maccy App, Uses PAM to Steal Passwords
A newly discovered macOS infostealer, dubbed PamStealer, is disguising itself as the popular open-source clipboard manager Maccy while quietly harvesting credentials, browser data, and clipboard contents through a sophisticated two-stage attack chain.
Researchers at Jamf Threat Labs traced the malware’s name to its most distinctive trait: it validates stolen passwords locally through the macOS Pluggable Authentication Modules (PAM) API before exfiltrating them, avoiding shell-based verification commands like dscl or security that commodity stealers typically rely on.
PamStealer arrives via a disk image containing a compiled AppleScript file named Maccy.scpt, hosted on the typosquatting domain maccyapp[.]com.

New PamStealer Malware Mimics Maccy App
The lure text embeds homoglyphs Cyrillic and Greek characters that look identical to Latin letters so the branding appears legitimate to victims while defeating simple string-matching detections.
When opened, the file instructs victims to press Command+R, triggering an embedded JavaScript for Automation (JXA) payload.
This downloader derives an encryption key from device fingerprinting (CPU architecture, locale, keyboard layout, and time zone) to unlock a hidden configuration file that only decrypts on Apple silicon, causing the malware to silently terminate on Intel Macs.
Notably, the malware checks for CIS-region signals Russian, Belarusian, and Kazakh locales, time zones, and keyboard layouts aborting execution if any match is found, hinting at the likely origin of its operators.
Once checks pass, the malware retrieves its second-stage payload using native NSURLSession calls, staging it into a fake bundle disguised as Finder.app or Software Update.app. It’s ad-hoc signed and launched hidden from the Dock.
The payload is a stripped-down arm64 Mach-O binary written in Rust an uncommon language choice for macOS stealers, which typically favor Swift, Go, or Objective-C.
It extracts credentials from browser and crypto-wallet databases via SQLite calls and accesses Keychain data by loading Security.framework at runtime, evading casual binary analysis. Clipboard contents are captured by repeatedly spawning pbpaste at irregular intervals.
Password theft occurs through a convincing fake system dialog validated live via pam_authenticate, re-prompting until a correct password is entered.

Jamf noted the malware later coerces Full Disk Access through a delayed, counterfeit system alert appearing up to 40 minutes post-launch timed to avoid suspicion.
For persistence, PamStealer registers via both the modern SMAppService API and a dropped helper binary using the legacy login items list, ensuring redundant footholds.
Stolen data is sent to avenger-sync[.]live/api/sync using ChaCha20-Poly1305 encryption with runtime-generated keys never written to disk.
Analysts recovered a live key through memory debugging, decrypting a server-side configuration referencing Ethereum RPC endpoints later confirmed in live network traffic, suggesting resilient C2 infrastructure or wallet reconnaissance.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| maccyapp[.]com | Domain | Fake distribution site impersonating Maccy |
| avenger-sync[.]live | Domain | C2 domain, fronted by Cloudflare |
| avenger-sync[.]live/api/sync | URL | C2 exfiltration endpoint |
| Maccy.scpt | File name | First-stage AppleScript dropper |
| Finder.app (com.apple.finder.core) | File path | Fake bundle for second-stage stealer |
| /private/tmp/System Settings | File path | ~34KB arm64 helper for persistence |
| ethereum-rpc.publicnode[.]com | Domain | Confirmed Ethereum RPC endpoint |
Note: IPs and domains are defanged to prevent accidental resolution. Re-fang only within controlled platforms such as MISP, VirusTotal, or your SIEM.
No Comment! Be the first one.