Security researchers at Jamf Threat Labs have identified a sophisticated new strain of macOS malware, dubbed PamStealer, that impersonates the legitimate open-source clipboard tool “Maccy” to infiltrate systems, harvest login credentials, and exfiltrate sensitive data — all while evading many of the detection methods commonly used against commodity Mac malware.

The malware, disclosed publicly on July 2, 2026, takes its name from one of its most distinctive behaviors: rather than simply capturing whatever a victim types, PamStealer validates the stolen password in real time through macOS’s own Pluggable Authentication Modules (PAM) — the same system the operating system itself relies on to check logins. Only once the entered password is confirmed genuine does the malware proceed, discarding failed attempts and re-prompting until it captures a working credential.

Distribution begins with a disk image hosted on a fake website, maccyapp[.]com, built to mimic the real Maccy project. Inside is a file named Maccy.scpt — a compiled AppleScript that opens automatically in Apple’s built-in Script Editor. The lure text asks the victim to press Cmd+R or click Run, a simple instruction that triggers the entire infection chain. Notably, this technique works even on files still carrying Apple’s quarantine flag, a security marker meant to warn users about internet downloads. Researchers also found that the malware’s on-screen branding uses look-alike Greek and Cyrillic characters in place of ordinary Latin letters, a trick designed to defeat simple text-based detection while remaining invisible to the human eye.

Once triggered, the script functions as a first-stage dropper. Instead of relying on common command-line tools that security software often monitors, it uses native Apple programming interfaces to fetch its second payload directly, generating far less suspicious activity than typical Mac malware. Before doing so, it fingerprints the host device — checking processor type, keyboard layout, system language, and time zone — and uses this fingerprint to unlock an encrypted configuration file. Devices located in Russia, Belarus, Kazakhstan, and several neighboring countries are deliberately excluded, a pattern researchers say suggests the operators are based in that region and avoiding local law enforcement attention.

The dropper then installs a second, more dangerous component: a Rust-programmed executable disguised as a legitimate system process, most often named “Finder.” Rust remains an unusual choice among Mac malware authors, who typically favor Swift, Go, or Objective-C, and its use here appears intended to further complicate analysis. This second stage carries out the actual theft — reading stored browser passwords, cookies, and cryptocurrency wallet data, accessing the Keychain, and repeatedly capturing clipboard contents, a common target given how often users copy passwords and crypto wallet addresses.

To obtain the all-important system password, the malware displays a convincing fake authorization prompt styled to look exactly like a genuine macOS request. After a valid password is captured, it shows a second, deceptive message claiming the app is “damaged” and should be moved to the Trash — encouraging the victim to delete the evidence, unaware that the theft has already occurred. In some cases, the malware later displays a third fake alert claiming Finder has lost access to protected files, tricking victims into manually granting it Full Disk Access, which would expose data including Mail, Messages, and Time Machine backups.

For persistence, PamStealer registers itself through two separate mechanisms, including a small embedded helper program that mimics System Settings, ensuring the infection survives reboots. Stolen data is encrypted using ChaCha20-Poly1305 and sent to a remote server, which researchers were able to partially decode, revealing configuration data referencing public Ethereum blockchain endpoints — a detail that may point to further command-and-control resilience or cryptocurrency-focused reconnaissance.

Jamf researchers note that while disk-image and AppleScript-based lures are increasingly common on macOS, PamStealer’s combination of a self-contained scripted dropper, a Rust-based payload, and locally verified password theft marks a notable evolution in the sophistication of Mac-targeted malware. Users are advised to avoid opening unsolicited .scpt files, verify software downloads through official channels only, and treat unexpected system password prompts with suspicion.

By Jakob Jung

Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM. Contact via Mail: jakob.jung@security-storage-und-channel-germany.de

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Cookie Notice by Real Cookie Banner