Malware

PamStealer: New macOS Infostealer Disguises Itself as the Maccy Clipboard Manager

dark6 6 July 2026
Read Time:3 Minute, 15 Second

Jamf Threat Labs has identified a new macOS infostealer, dubbed PamStealer, that disguises itself as Maccy, a genuinely popular open-source clipboard manager, in order to silently harvest credentials, clipboard contents, and browser data from infected Macs.

A Two-Stage Infection Chain Built to Blend In

The attack begins with a disk image file named “Maccy.dmg” containing a compiled AppleScript file. When a victim opens it, the file displays innocuous-looking instructions asking the user to click Run — a simple social-engineering step that triggers the hidden malicious code.

Rather than relying on common, easily flagged tools like curl or shell scripts, the first-stage AppleScript executes a JavaScript for Automation (JXA) payload that calls native macOS APIs such as NSURLSession directly. That choice reduces visible system activity and helps the dropper avoid raising suspicion from security tooling that watches for typical command-line download patterns.

The dropper then fetches a second-stage payload and installs it while masquerading as a legitimate system component, such as Finder or Software Update, to further blend into the operating system.

Environment-Aware and Region-Selective

Before fully executing, PamStealer performs environment checks, generating a unique fingerprint based on CPU architecture, locale, and time zone. If a device does not match its expected target profile, the malware quietly exits without doing anything further. It also specifically avoids systems configured for Russia and neighboring countries, checking language settings and keyboard layouts — a pattern often associated with threat actors seeking to avoid prosecution in their home region.

A Rust-Based Payload With a Convincing Password Trick

The second stage is a Rust-based Mach-O binary, a relatively uncommon choice in macOS malware that can complicate analysis. Once active, it:

  • Accesses browser SQLite databases to extract stored passwords, cookies, and cryptocurrency wallet data
  • Dynamically loads macOS Security framework functions to reach Keychain data without exposing that capability to static analysis
  • Continuously monitors the clipboard via the built-in pbpaste utility, capturing passwords, tokens, or crypto addresses copied by the user
  • Displays a convincing fake system password prompt, then validates the entered password locally through macOS’s Pluggable Authentication Modules (PAM) — ensuring it only captures genuinely correct credentials while avoiding suspicious system calls

For persistence, PamStealer registers itself as a login item using both modern and legacy macOS APIs, and drops a helper binary disguised as “System Settings.” It also displays fake system alerts designed to trick victims into granting Full Disk Access, dramatically expanding its ability to read protected files.

Command-and-Control Over Blockchain Infrastructure

PamStealer communicates with a command-and-control server at a domain masquerading as a legitimate service, encrypting exfiltrated data with ChaCha20-Poly1305 inside JSON requests. Notably, researchers observed the malware connecting to public Ethereum RPC endpoints, suggesting it may lean on blockchain infrastructure for resilient C2 or payload retrieval that is harder to take down than a traditional server.

Indicators of compromise include suspicious domains impersonating legitimate services and file paths designed to mimic macOS system directories, such as fake entries under ~/Library/Application Support/.

Recommendations for Mac Users and IT Teams

  • Only download clipboard managers and similar utilities directly from the Mac App Store or verified developer websites — never from disk images linked in ads, forums, or unsolicited messages
  • Treat any application that asks you to manually approve running a script inside a disk image with suspicion
  • Be skeptical of unexpected system password prompts, especially ones that appear shortly after installing new software
  • Review login items and installed profiles periodically for unrecognized entries
  • Deploy endpoint detection tooling capable of flagging unusual Keychain access and clipboard-monitoring behavior

PamStealer reflects a broader trend in macOS threats: attackers combining native APIs, uncommon language runtimes like Rust, and carefully engineered social engineering to build malware that is quieter and harder to catch than the smash-and-grab stealers of a few years ago.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su PamStealer: New macOS Infostealer Disguises Itself as the Maccy Clipboard Manager, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community