PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords
A newly discovered macOS infostealer, dubbed PamStealer, disguises itself as the popular open-source clipboard manager Maccy while quietly harvesting credentials, browser data, and clipboard contents

A newly discovered macOS infostealer, dubbed PamStealer, disguises itself as the popular open-source clipboard manager Maccy while quietly harvesting credentials, browser data, and clipboard contents through a two-stage attack chain. Researchers at Jamf Threat Labs traced the malware’s name to its most distinctive trait: it validates stolen passwords locally through the macOS Pluggable Authentication Modules […] The post PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords appeared first on Cyber Security News.
A newly discovered macOS infostealer, dubbed PamStealer, disguises itself as the popular open-source clipboard manager Maccy while quietly harvesting credentials, browser data, and clipboard contents through a two-stage attack chain. Researchers at Jamf Threat Labs traced the malware’s name to its most distinctive trait: it validates stolen passwords locally through the macOS Pluggable Authentication Modules (PAM) API before exfiltrating them, avoiding the shell-based verification commands like dscl or security that commodity stealers typically rely on. PamStealer arrives via a disk image containing a compiled AppleScript file named Maccy.scpt, hosted on the typosquatting domain maccyapp[.]com. Typosquatting domain (Source: Jamf) PamStealer macOS Infostealer The lure text embeds homoglyphs, Cyrillic and Greek characters that look identical to Latin letters, so the branding appears legitimate to a human reader while defeating simple string-matching detections. When opened, the file displays instructions urging the victim to press Command+R to run the script, and this single action executes an embedded JavaScript for Automation payload that quietly does the real work. That JXA downloader derives an encryption key from device fingerprinting, factoring in CPU architecture, locale, keyboard layout, and time zone, in order to unlock a hidden configuration file that only opens correctly on Apple silicon, causing the malware to silently terminate on Intel Macs. It also checks the system against a list of CIS-region signals, including Russian, Belarusian, and Kazakh locales, time zones, and keyboard layouts, aborting execution if any match is found, which hints at the operator’s likely origin. Once the checks pass, it retrieves the second-stage payload using native NSURLSession calls rather than command-line tools like curl, then stages it into a fake bundle disguised as Finder.app or Software Update.app, ad-hoc signs it, and launches it hidden from the Dock. The payload itself is a stripped-down arm64 Mach-O binary written in Rust, a language choice still uncommon among macOS stealers, which typically favor Swift, Go, or Objective-C. It pulls credentials directly from browser and crypto-wallet databases via bundled SQLite calls, and it accesses Keychain data by loading Security.framework at runtime instead of linking it statically, which keeps the capability hidden from casual binary analysis. Clipboard contents are captured by repeatedly spawning the pbpaste utility at irregular intervals. The password theft itself unfolds through a convincing fake system dialog that asks the user to authorize changes, with the entered value validated live via pam_authenticate, re-prompting on any failed attempt until a correct password is confirmed. For persistence, the malware registers itself via both the modern SMAppService API and a dropped helper binary that uses the legacy login items list, giving it redundant footholds. push for full disk access (Source: Jamf) Jamf stated that later attempts to coerce Full Disk Access through a delayed, counterfeit system alert that can appear up to forty minutes after launch, timed specifically to avoid raising suspicion. Stolen data is sent to avenger-sync[.]live/api/sync using ChaCha20-Poly1305 encryption with runtime-generated keys that are never written to disk. Analysts recovered a live key through memory debugging and decrypted a server-side configuration referencing Ethereum RPC endpoints, a connection later confirmed in live network traffic, suggesting possible resilient command-and-control or wallet reconnaissance. IndicatorTypeDescriptionmaccyapp[.]comDomainFake distribution site impersonating the Maccy clipboard manageravenger-sync[.]liveDomainCommand-and-control (C2) domain, fronted by Cloudflarehttps://avenger-sync[.]live/api/syncURLC2 exfiltration endpoint for ChaCha20-Poly1305 encrypted dataMaccy.scptFile nameFirst-stage compiled AppleScript dropper delivered via disk imageFinder.app (com.apple.finder.core)File path/nameFake bundle masquerading as system Finder for the second-stage stealer/private/tmp/System SettingsFile pathEmbedded ~34KB arm64 helper binary used for login item persistenceethereum-rpc.publicnode[.]comDomainEthereum RPC endpoint confirmed contacted in live C2 traffic Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


