Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/PamStealer Mimics Maccy, Silently Harvests Data
CyberSecurity News

PamStealer Mimics Maccy, Silently Harvests Data

Key Takeaways A new macOS infostealer, PamStealer, has been identified, camouflaged as the popular Maccy clipboard manager. The malware employs a two-stage infection process, leveraging AppleScript...

Marcus Rodriguez
Marcus Rodriguez
July 4, 2026 4 Min Read
3 0

Key Takeaways

  • A new macOS infostealer, PamStealer, has been identified, camouflaged as the popular Maccy clipboard manager.
  • The malware employs a two-stage infection process, leveraging AppleScript and a Rust-based payload to evade detection and exfiltrate sensitive data.
  • PamStealer steals credentials, monitors clipboard activity, and establishes persistence, notably using macOS Pluggable Authentication Modules (PAM) for password validation.
  • No specific fix or CVE is mentioned; vigilance against suspicious disk images and user prompts is crucial.

PamStealer: A Stealthy macOS Infostealer Mimicking Maccy

A sophisticated new macOS information stealer, dubbed PamStealer, has emerged, expertly masquerading as the widely used open-source clipboard manager, Maccy. This malware operates with a high degree of stealth, silently siphoning off sensitive user data without immediate detection.

Table Of Content

  • Key Takeaways
  • PamStealer: A Stealthy macOS Infostealer Mimicking Maccy
  • The Two-Stage Infection Process
  • Advanced Evasion and Data Exfiltration
  • Persistence and Command-and-Control
  • What You Should Do

The discovery was made by Jamf Threat Labs observed, who detailed a two-stage infection chain meticulously engineered to bypass security measures and blend seamlessly into typical macOS operations.

The Two-Stage Infection Process

The attack initiates with a malicious disk image file named “Maccy.dmg.” This file contains a compiled AppleScript file (.scpt). Upon execution, the user encounters seemingly benign instructions, prompting them to click “Run.” This social engineering tactic cleverly activates the embedded malicious code hidden within the script.

In its initial phase, the AppleScript functions as a lightweight dropper. Unlike many conventional malware droppers that rely on common command-line utilities like curl or zsh, PamStealer utilizes a JavaScript for Automation (JXA) payload. This payload is executed through native macOS APIs, specifically NSURLSession. This method significantly reduces visible system activity, thereby lowering the chances of triggering suspicion or detection. The script then proceeds to download a second-stage payload, installing it onto the system, often disguised as a legitimate macOS component such as Finder or Software Update.

Advanced Evasion and Data Exfiltration

PamStealer incorporates environment-aware checks before fully executing its malicious routines. It generates a unique identifier based on various system attributes, including CPU architecture, locale settings, and time zone. If these characteristics do not align with its predefined profile, the malware terminates silently. Furthermore, it actively avoids systems located in specific geographical regions, including Russia and neighboring countries, by analyzing language settings and keyboard layouts.

The second stage of the attack involves a Rust-based Mach-O binary, a choice of language that is relatively uncommon in macOS malware. This infostealer is capable of a broad spectrum of malicious activities, encompassing credential theft, continuous clipboard monitoring, and data exfiltration.

It systematically accesses browser databases via SQLite to extract stored passwords, cookies, and wallet information. To access Keychain data without revealing its full capabilities during static analysis, PamStealer dynamically loads macOS Security frameworks.

A particularly noteworthy feature of PamStealer is its sophisticated password harvesting technique. The malware presents a fabricated system prompt, coercing the user into entering their password. Crucially, it then validates this password locally using macOS Pluggable Authentication Modules (PAM). This ensures that only legitimate credentials are captured, a method that circumvents suspicious system calls and minimizes opportunities for detection.

Clipboard data is subjected to continuous surveillance using the built-in pbpaste utility. The malware repeatedly captures the contents of the clipboard at irregular intervals, potentially harvesting sensitive information such such as passwords, authentication tokens, or cryptocurrency addresses.

Persistence and Command-and-Control

For persistence, PamStealer registers itself as a login item, utilizing both modern and legacy macOS APIs. It also deploys a helper binary disguised as “System Settings” to bolster its persistence mechanisms. Moreover, the malware attempts to trick users into granting Full Disk Access through deceptive system alerts, thereby expanding its ability to access protected files.

The malware establishes communication with its command-and-control (C2) server located at avenger-sync[.]live. It exfiltrates encrypted data using ChaCha20-Poly1305 within JSON requests. Jamf Threat Labs observed connections to public Ethereum RPC endpoints, suggesting that the malware might leverage blockchain infrastructure for resilient command-and-control operations or payload retrieval.

Several Indicators of Compromise (IOCs) have been identified, including suspicious domains such as api.sync-master[.]online and avngr.netlify[.]app, alongside file paths that mimic legitimate macOS system directories, for instance, ~/Library/Application Support/com.apple.finder.core/.

PamStealer underscores the increasing sophistication of threats targeting macOS. By integrating native APIs, Rust-based payloads, and advanced social engineering tactics, attackers are developing quieter and more effective malware that poses significant challenges for traditional detection methods.

What You Should Do

  • Exercise Caution with Downloads: Only download software from official sources (e.g., App Store, developer websites) and verify the integrity of disk images before opening.
  • Be Skeptical of Prompts: Be highly suspicious of any unexpected system prompts asking for your password, especially after opening a new application. Verify the legitimacy of the prompt through macOS system settings if unsure.
  • Maintain Up-to-Date Systems: Ensure your macOS is always running the latest version with all security patches applied.
  • Use Endpoint Protection: Deploy robust endpoint detection and response (EDR) solutions capable of monitoring for unusual activity and behavior on macOS devices.
  • Educate Users: Regularly train users on identifying social engineering tactics, phishing attempts, and suspicious software behavior.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical FatFs Vulnerabilities Expose Millions of Embedded Devices

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us