Researchers have identified PamStealer, a previously unseen macOS malware family distributed through fake websites impersonating the legitimate Maccy clipboard manager. The infection begins with a trojanized disk image and a compiled AppleScript lure that tells users to press Command-R in Script Editor, a step that executes malicious code while sidestepping macOS com.apple.quarantine protections. The malware then deploys a Rust-based second stage that downloads additional payloads, steals browser data, clipboard contents, iCloud Keychain information, and login credentials, and sends the data to attacker-controlled infrastructure over encrypted command-and-control channels.
PamStealer stands out for validating stolen passwords locally through macOS Pluggable Authentication Modules (PAM), repeatedly prompting victims until the correct password is entered before exfiltration. Researchers said the malware is environment-aware, targets Apple Silicon systems, avoids analysis environments, and excludes devices tied to several Eastern European locales and time zones. It also delays Full Disk Access prompts, establishes persistence, and hides app bundles by impersonating Finder or Software Update components, while displaying decoy error messages to make victims think the fake application simply failed to launch.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Technical analysis revealed that PamStealer uses a compiled AppleScript or JXA-based first stage to launch a Rust-based second stage, bypass quarantine protections, establish persistence, and exfiltrate data. Researchers also disclosed that it validates stolen macOS passwords locally through the PAM API, repeatedly prompting victims until the correct password is entered.
Researchers reported a previously unseen macOS information stealer called PamStealer. The malware is disguised as the legitimate Maccy clipboard manager and delivered through fake Maccy-themed distribution sites or disk images.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
hackread.com
Open sourcethehackernews.com
Open sourcearstechnica.com
Open sourcejamf.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.