PamStealer Mimics Maccy, Silently Harvests Data
Key Takeaways A new macOS infostealer, PamStealer, has been identified, camouflaged as the popular Maccy clipboard manager. The malware employs a two-stage infection process, leveraging AppleScript...
Key Takeaways
- A new macOS infostealer, PamStealer, has been identified, camouflaged as the popular Maccy clipboard manager.
- The malware employs a two-stage infection process, leveraging AppleScript and a Rust-based payload to evade detection and exfiltrate sensitive data.
- PamStealer steals credentials, monitors clipboard activity, and establishes persistence, notably using macOS Pluggable Authentication Modules (PAM) for password validation.
- No specific fix or CVE is mentioned; vigilance against suspicious disk images and user prompts is crucial.
PamStealer: A Stealthy macOS Infostealer Mimicking Maccy
A sophisticated new macOS information stealer, dubbed PamStealer, has emerged, expertly masquerading as the widely used open-source clipboard manager, Maccy. This malware operates with a high degree of stealth, silently siphoning off sensitive user data without immediate detection.
Table Of Content
The discovery was made by Jamf Threat Labs observed, who detailed a two-stage infection chain meticulously engineered to bypass security measures and blend seamlessly into typical macOS operations.
The Two-Stage Infection Process
The attack initiates with a malicious disk image file named “Maccy.dmg.” This file contains a compiled AppleScript file (.scpt). Upon execution, the user encounters seemingly benign instructions, prompting them to click “Run.” This social engineering tactic cleverly activates the embedded malicious code hidden within the script.
In its initial phase, the AppleScript functions as a lightweight dropper. Unlike many conventional malware droppers that rely on common command-line utilities like curl or zsh, PamStealer utilizes a JavaScript for Automation (JXA) payload. This payload is executed through native macOS APIs, specifically NSURLSession. This method significantly reduces visible system activity, thereby lowering the chances of triggering suspicion or detection. The script then proceeds to download a second-stage payload, installing it onto the system, often disguised as a legitimate macOS component such as Finder or Software Update.
Advanced Evasion and Data Exfiltration
PamStealer incorporates environment-aware checks before fully executing its malicious routines. It generates a unique identifier based on various system attributes, including CPU architecture, locale settings, and time zone. If these characteristics do not align with its predefined profile, the malware terminates silently. Furthermore, it actively avoids systems located in specific geographical regions, including Russia and neighboring countries, by analyzing language settings and keyboard layouts.
The second stage of the attack involves a Rust-based Mach-O binary, a choice of language that is relatively uncommon in macOS malware. This infostealer is capable of a broad spectrum of malicious activities, encompassing credential theft, continuous clipboard monitoring, and data exfiltration.
It systematically accesses browser databases via SQLite to extract stored passwords, cookies, and wallet information. To access Keychain data without revealing its full capabilities during static analysis, PamStealer dynamically loads macOS Security frameworks.
A particularly noteworthy feature of PamStealer is its sophisticated password harvesting technique. The malware presents a fabricated system prompt, coercing the user into entering their password. Crucially, it then validates this password locally using macOS Pluggable Authentication Modules (PAM). This ensures that only legitimate credentials are captured, a method that circumvents suspicious system calls and minimizes opportunities for detection.
Clipboard data is subjected to continuous surveillance using the built-in pbpaste utility. The malware repeatedly captures the contents of the clipboard at irregular intervals, potentially harvesting sensitive information such such as passwords, authentication tokens, or cryptocurrency addresses.
Persistence and Command-and-Control
For persistence, PamStealer registers itself as a login item, utilizing both modern and legacy macOS APIs. It also deploys a helper binary disguised as “System Settings” to bolster its persistence mechanisms. Moreover, the malware attempts to trick users into granting Full Disk Access through deceptive system alerts, thereby expanding its ability to access protected files.
The malware establishes communication with its command-and-control (C2) server located at avenger-sync[.]live. It exfiltrates encrypted data using ChaCha20-Poly1305 within JSON requests. Jamf Threat Labs observed connections to public Ethereum RPC endpoints, suggesting that the malware might leverage blockchain infrastructure for resilient command-and-control operations or payload retrieval.
Several Indicators of Compromise (IOCs) have been identified, including suspicious domains such as api.sync-master[.]online and avngr.netlify[.]app, alongside file paths that mimic legitimate macOS system directories, for instance, ~/Library/Application Support/com.apple.finder.core/.
PamStealer underscores the increasing sophistication of threats targeting macOS. By integrating native APIs, Rust-based payloads, and advanced social engineering tactics, attackers are developing quieter and more effective malware that poses significant challenges for traditional detection methods.
What You Should Do
- Exercise Caution with Downloads: Only download software from official sources (e.g., App Store, developer websites) and verify the integrity of disk images before opening.
- Be Skeptical of Prompts: Be highly suspicious of any unexpected system prompts asking for your password, especially after opening a new application. Verify the legitimacy of the prompt through macOS system settings if unsure.
- Maintain Up-to-Date Systems: Ensure your macOS is always running the latest version with all security patches applied.
- Use Endpoint Protection: Deploy robust endpoint detection and response (EDR) solutions capable of monitoring for unusual activity and behavior on macOS devices.
- Educate Users: Regularly train users on identifying social engineering tactics, phishing attempts, and suspicious software behavior.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.