[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7EWx2wBAinrHlFeMDI14aoGrzG-aOC1GsIy5hqO1_JM":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"8c396079-76ad-48b9-b8a4-13b89633bf61","PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords","pamstealer-uses-fake-maccy-sites-and-pam-checks-to-steal-mac-login-passwords-ce4350","Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to","A new macOS information stealer named PamStealer has been identified, distributing as a compiled AppleScript disguised as the legitimate clipboard manager Maccy. It uses a fake website and a two-stage infection process, with the second stage being a Rust-based infostealer. PamStealer uniquely validates captured login passwords using macOS's Pluggable Authentication Modules (PAM) before exfiltrating data.","PamStealer malware targets macOS users with fake Maccy sites and PAM checks to steal login passwords.","PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords Ravie LakshmananJul 03, 2026Credential Theft \u002F Cryptocurrency Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim's login password through the macOS Pluggable Authentication Modules (PAM) before capturing it. The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that's designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration. The initial access vector for the malware is a lookalike site (\"maccyapp[.]com\") that mimics Maccy (\"maccy[.]app\"). The AppleScript (\"Maccy.scpt\") present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs. What's notable here is that the script, once launched via the Script Editor, displays instructions to run it using the \"⌘ + R\" keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed. \"Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal,\" security researcher Thijs Xhaflaire said. \"Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.\" The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it's running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path. On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure (\"avenger-sync[.]live\") over an outbound HTTP request. Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim's system password, and then validates the entered password by cross-checking it via the PAM API. If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied. \"Once a valid password is captured, the stealer shows a second, counterfeit alert: 'Maccy is damaged and can't be opened. You should move it to the Trash,' a close copy of the genuine Gatekeeper message,\" Jamf said. \"This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken.\" Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence. The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, stating, \"Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. maccy.app is the only official website.\" \"Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,\" Jamf said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AppleScript, Credential Theft, cryptocurrency, iCloud Keychain, Infostealer, JXA, MacOS, Rust ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fpamstealer-uses-fake-maccy-sites-and.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiEmcBMGUjTwe51gVQWP401twHYLMUOocwG9nYkgadlFV6cmGXrPS-3PeNTg_GJOaUVohWILNXgIC8ufSkPqXRbW1wIyvUr5JEKCrrMI3_hlN8uFtxpf-sBn743tQmlK2ipu_qWtY3k18cPkaQ6XGJnR7RPjuMOWkYwcmJ5XSnSNQHbNpkEgyyP29hJA6j2\u002Fs1600\u002Fmacos-malware.jpg","2026-07-03T08:03:37+00:00","2026-07-03T10:00:13.135286+00:00",8,[18,21,24,26,28,30],{"name":19,"type":20},"Maccy","product",{"name":22,"type":23},"AppleScript","technology",{"name":25,"type":23},"PAM",{"name":27,"type":23},"Rust",{"name":29,"type":23},"Objective-C",{"name":31,"type":32},"Jamf","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,41],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[47,51,54],{"type":48,"value":49,"context":50},"domain","maccyapp[.]com","Lookalike domain used for initial distribution.",{"type":48,"value":52,"context":53},"avenger-sync[.]live","Command and control server for data exfiltration.",{"type":37,"value":55,"context":56},"PamStealer","Name of the macOS information stealer."]