Back to Feed
MalwareJul 3, 2026

New PamStealer Malware Targets macOS Users via Fake Maccy Clipboard App

New PamStealer malware targets macOS users via a fake Maccy clipboard app.

Summary

A new Rust-based infostealer named PamStealer is targeting macOS users by impersonating the legitimate Maccy clipboard manager. Attackers are distributing the malware through a fake Maccy app hosted on a lookalike domain, maccyapp(.)com. The malware steals passwords, browser data, and clipboard content, and employs sophisticated techniques to evade detection and trick users into granting elevated privileges.

Full text

Security MalwareNew PamStealer Malware Targets macOS Users via Fake Maccy Clipboard App The newly spotted PamStealer is spreading through a fake Maccy clipboard app and steal Mac passwords, browser data and clipboard content. byWaqasJuly 3, 20264 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Mac users searching for a clipboard manager are being redirected to a fake version of Maccy, an open-source app, in a campaign that installs a Rust-based infostealer called PamStealer. Jamf Threat Labs reported that the malware is served from maccyapp(.)com, a lookalike domain made to impersonate the legitimate Maccy project. Researchers named the malware PamStealer because it checks a victim’s login password via macOS Pluggable Authentication Modules (PAM) before retaining it. AppleScript Starts the Infection Chain The attack starts with a disk image containing a compiled AppleScript file named Maccy.scpt. When opened, the file shows branded instructions that tell the user to run the script in Script Editor, while the malicious logic sits far below the visible text after a long blank section. Jamf also found Greek and Cyrillic lookalike characters in the word “Maccy,” a small trick meant to defeat simple text matching. Once the user runs the script, the first stage acts as a downloader for the real payload. Jamf said the dropper uses JavaScript for Automation with native Objective-C APIs, including NSURLSession, to retrieve and stage the second stage, avoiding the more visible use of curl, zsh or osascript that many macOS downloaders use. Before that download proceeds, the script checks the machine it is running on. The dropper builds a key from host details such as CPU architecture, locale, keyboard layout, and time zone, then uses that key to unlock its encrypted configuration. Jamf said the files it reviewed were keyed to Apple silicon, and the configuration would not unlock on Intel Macs. According to Jamf Threat Labs’ report shared with Hackread.com, malware authors have also added regional checks into the first stage. The malware checks time zones, locale data, and keyboard input sources linked to Russia, Belarus, Kazakhstan, and several nearby countries, with any match stopping the configuration from opening. Jamf said the same checks appear again in the second stage, linking the dropper and infostealer to the same operator. Rust Payload Hides as a macOS Component After installation, the payload hides inside an application bundle that looks like a built-in macOS component. Jamf observed variants using names such as Finder.app and Software Update.app, with Apple-style bundle identifiers and the genuine Finder icon copied in. The dropper ad hoc signs the bundle, launches it without a visible window or Dock item, and leaves a .Maccy file nearby as an infection flag. After the fake Finder launches, the Rust-based Mach-O stealer begins collecting data. Jamf said it can read browser-related SQLite databases, load Security.framework at runtime for keychain access, read the clipboard by repeatedly launching the built-in pbpaste utility, and send data to a command and control endpoint. The traffic is wrapped in JSON and encrypted with ChaCha20 Poly1305. The fake Maccy app domain and clipboard manager distributing via a disk image (Image credit: Jamf Threat Labs) Password Prompt and Decoy Error Message It is also worth noting that the malware’s password prompt is designed to look familiar to a Mac user. It shows a native looking dialog claiming that “Maccy wants to make changes” and asks for the account password. If the user types the wrong password, PamStealer checks it through PAM and asks again, moving forward only after a valid password is entered. A second fake alert helps the operator close the loop. After the password has been accepted and the payload has already run, the malware shows a message saying the Maccy app is damaged and should be moved to Trash. That message is a decoy, giving the user a simple explanation for why the app did not open normally. Full Disk Access Push and Login Item Persistence The malware also tries to talk users into granting Full Disk Access. In Jamf’s testing, a fake alert appeared after a delay that could reach about 40 minutes, claiming that Finder had lost access to protected data and offering to open System Settings. If the user approves the fake Finder entry in the Full Disk Access pane, the stealer can read protected app data, including Mail, Messages, and Time Machine backups. To survive restarts, PamStealer registers its fake Finder bundle as a login item in two ways. The Rust stealer uses Apple’s modern ServiceManagement API, and it also drops a small helper program in /private/tmp/System Settings to add the same bundle through the legacy login items interface. Network activity also leaves a useful clue for incident response. Jamf found the second stage using avenger-sync(.)live/api/sync for command and control, with cache records stored under ~/Library/Caches/com.apple.finder.core/. The cache kept request and response metadata, while the message bodies remained encrypted. What Mac Users and Admins Should Check Anyone installing Maccy should get it from the real project page or trusted package sources, not a search result or lookalike domain. A clipboard manager delivered as a .scpt file that asks to be run in Script Editor should be treated as suspicious, and password prompts from newly downloaded apps deserve extra scrutiny. If your company used Macs, the attack leaves several signs that can help spot an infected machine. These include Script Editor triggering code signing for an app stored inside Application Support, a process named Finder running from a folder where normal users can save files, repeated use of the macOS pbpaste tool by that fake Finder process, and new login items using a copied Apple system icon. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AppleClipboardInfostealerMaccymacOSMalwarePamStealer Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and… byDeeba Ahmed Security Leaks Sensitive data of 900 Pulse Secure VPN servers leaked on hacker forum The team behind Pulse Secure VPN had a year to fix the flaw but it did not get a fix. bySudais Asif News Hacking News Security Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables In May 2020, researchers were able to demonstrate how attackers can steal data from air-gapped PC by turning RAM into… byDeeba Ahmed Artificial Intelligence Security Agentic AI Security Best Practices As we march forward towards building advanced AI systems like Agentic AI which will be primarily used for… byManish Mishra

Indicators of Compromise

  • malware — PamStealer
  • mitre_attack — T1059.005
  • mitre_attack — T1555
  • mitre_attack — T1119

Entities

Maccy (product)macOS (technology)PAM (technology)AppleScript (technology)Rust (technology)