Tech News

PamStealer: macOS Malware Verifies Your Password Before Stealing It

A fake clipboard manager, a password checked before being stolen: Jamf Threat Labs has published a report on PamStealer, a new infostealer targeting macOS. Its special twist? It confirms the victim's password is valid through Apple's PAM framework before looting data. And it only targets Apple Silicon Macs. Here's what we know about this threat.

The PamStealer Threat

On the web, the PamStealer malware impersonates Maccy, an open source clipboard manager popular with macOS users. According to Jamf, the attackers host a fake version of the app on the domain maccyapp[.]com, which closely mimics the legitimate site (maccy.app). Fake websites are nothing new; this is a common technique.

The attack unfolds in two stages. The first stage is a compiled AppleScript (Maccy.scpt) distributed inside a disk image. When opened, macOS shows the file in Script Editor, along with fake instructions telling the user to press Cmd+R to begin. A good example of ClickFix, another widely used technique.

Source: Jamf

This shortcut executes the malicious code hidden lower in the file, and according to Jamf researchers, it works even when the file still has the com.apple.quarantine attribute. That means Apple's protections are bypassed, whether Gatekeeper or Terminal-based defenses.

Rather than using classic shell commands such as curl or zsh (which are often closely monitored), the script launches a standalone downloader in JXA (JavaScript for Automation) that retrieves the payload through native Objective-C APIs. The second stage of the PamStealer chain is a Mach-O binary written in Rust, compiled for the arm64 architecture (Apple Silicon): on an Intel Mac, Jamf says the encrypted configuration never unlocks and the program stops.

Although Jamf does not discuss the origin of the cybercriminals behind this campaign, PamStealer's behavior offers a few clues. In fact, PamStealer appears to intentionally exclude machines located in several countries such as Russia, Belarus, and Kazakhstan. To do this, it checks a few things on the machine, including the time zone, system language, and keyboard layout.

A Password Validated via PAM Before Being Stolen

Now let's talk about one of PamStealer's key quirks. When it is active on a machine, it displays an authentication window (NSAlert) that imitates a legitimate system prompt: "Maccy wants to make changes. Enter your password to allow it.", still while pretending to be Maccy.

Source: Jamf

Where most macOS infostealers simply record keystrokes, PamStealer validates the password locally via PAM, or Pluggable Authentication Modules (an authentication module also used by Linux). If the password is invalid, it asks the user to enter it again until a correct credential is provided. As a result, it can exfiltrate a valid password that has been verified locally, which is rather clever.

"This verification is performed entirely via PAM: there is no call to dscl, security, osascript, or any process launched to verify the password, as many common macOS data-stealing tools do. The result is a more discreet routine that keeps only a verified password, and one less process chain for defenders to detect.", the Jamf researchers explain.

Once the password is validated, the Rust-coded payload casts a wide net: saved credentials, browser cookies and history, SQLite databases, clipboard contents (read in a loop via pbpaste), and cryptocurrency wallet data. Everything is encrypted (ChaCha20-Poly1305) before being exfiltrated to a C2 server controlled by the attackers.

For persistence, this malware impersonates Finder and registers itself to remain active as soon as the Mac boots. It also delays certain prompts (such as the Full Disk Access request) sometimes for up to forty minutes after launch, so its activity does not coincide with the app opening.

This modus operandi confirms a trend already documented on IT-Connect: macOS malware abuses legitimate system features rather than exploiting brand-new vulnerabilities. Examples include the MacSync variant capable of bypassing Gatekeeper or ClickFix attacks abusing Claude artifacts.

Sources: Jamf Threat Labs

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.