PamStealer Poses as Maccy to Steal macOS Passwords and Other Data

Security researchers have identified a new macOS infostealer, dubbed PamStealer, that uses a fake website, a staged AppleScript dropper, and local password verification to quietly compromise Mac users...

Security researchers have identified a new macOS infostealer, dubbed PamStealer, that uses a fake website, a staged AppleScript dropper, and local password verification to quietly compromise Mac users.

According to Jamf Threat Labs, the campaign begins with a disk image that appears to offer the Maccy clipboard manager. In reality, the download comes from a lookalike domain designed to resemble the legitimate project site. Inside the image is a compiled AppleScript file that launches a JavaScript for Automation downloader and retrieves a second-stage payload from attacker infrastructure.

How the infection chain works

The first-stage script includes several checks before it proceeds. Researchers said it fingerprints the target system, verifies that it is running on Apple Silicon, and uses the collected system details to decrypt an embedded configuration file. If the machine is running Intel-based hardware, the decryption fails and the infection stops.

The dropper also attempts to avoid sandboxes and analysis setups, and it can refuse to run in environments associated with a list of Eastern European countries based on locale, keyboard layout, and time zone settings.

What the malware steals

If the checks succeed, the script downloads a Rust-based Mach-O binary that pretends to be Finder. This component is responsible for collecting data from multiple sources, including:

  • Web browsers
  • Cryptocurrency wallet extensions
  • iCloud Keychain
  • Clipboard contents

The stolen information is encrypted and sent to attacker-controlled servers over HTTP. The malware also tries to gain broad file system access and shows a fake password prompt to capture the victim’s login credentials.

A notable feature of the campaign is its use of the macOS Pluggable Authentication Modules, or PAM, to confirm whether the entered password is valid. If the first attempt fails, the prompt repeats until the correct password is provided.

Fake error message hides the compromise

After the password is captured, the malware displays a counterfeit warning that says the Maccy app is damaged and should be moved to the Trash. Jamf said this message is meant to make the victim think the download was broken, even though the payload has already executed and persistence has been set up.

The discovery has also prompted Maccy’s developer to warn users about imitation sites. The legitimate project page remains maccy.app, while domains such as maccyapp[.]com and maccyapp[.]net have been associated with malware distribution.

Researchers say PamStealer reflects a broader trend in macOS threats: more native components, quieter execution, and fewer obvious indicators that defenders can easily catch.