Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

75% CISOs Fear Executives Don’t Understand Cybersecurity Risks

July 9, 2026

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

July 9, 2026

GhostApproval Flaw Hits Six Major AI Coding Assistants

July 9, 2026
Facebook X (Twitter) Instagram
Thursday, July 9
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
News

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

Team-CWDBy Team-CWDJuly 9, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data.

The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before capturing it.

The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that’s designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.

The initial access vector for the malware is a lookalike site (“maccyapp[.]com”) that mimics Maccy (“maccy[.]app”). The AppleScript (“Maccy.scpt”) present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs.

What’s notable here is that the script, once launched via the Script Editor, displays instructions to run it using the “⌘ + R” keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.

“Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal,” security researcher Thijs Xhaflaire said. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.”

The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it’s running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path.

On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.

Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure (“avenger-sync[.]live”) over an outbound HTTP request.

Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim’s system password, and then validates the entered password by cross-checking it via the PAM API. If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied.

“Once a valid password is captured, the stealer shows a second, counterfeit alert: ‘Maccy is damaged and can’t be opened. You should move it to the Trash,’ a close copy of the genuine Gatekeeper message,” Jamf said. “This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken.”

Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence.

The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, urging users to stay away from fake websites mimicking the tool. “Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. Maccy[.]app is the only official website,” Rodionov said.

“Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleGhostApproval Flaw Hits Six Major AI Coding Assistants
Next Article 75% CISOs Fear Executives Don’t Understand Cybersecurity Risks
Team-CWD
  • Website

Related Posts

News

75% CISOs Fear Executives Don’t Understand Cybersecurity Risks

July 9, 2026
News

Vibe-Coded Malware Caught in Active Directory Attack

July 9, 2026
News

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

July 9, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Chronology of a Skype attack

February 5, 2026

2025’s most common passwords were as predictable as ever

January 21, 2026

Is it OK to let your children post selfies online?

February 17, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.