PROBABLYPWNED
MalwareJuly 3, 20264 min read

PamStealer Validates Your Mac Password Before Stealing It

Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.

James Rivera

Most infostealers grab whatever credentials they can find and sort out what's valid later. PamStealer takes a different approach: it asks for your password, validates it locally through macOS's authentication framework, and only then proceeds to steal everything else. If the password is wrong, it keeps asking until you get it right.

Jamf Threat Labs documented the malware on July 2, distributing through a fake website impersonating Maccy, a legitimate clipboard manager with a loyal Mac user base. The deception is convincing enough that Maccy's developer Alex Rodionov issued a warning: "Beware of fake websites impersonating Maccy. Maccy.app is the only official website."

The Two-Stage Attack Chain

PamStealer arrives as a compiled AppleScript inside a disk image, downloaded from malicious domains like maccyapp[.]com and maccyapp[.]net. The first stage operates as a JavaScript for Automation (JXA) downloader using native Objective-C APIs.

Security researcher Thijs Xhaflaire noted a critical bypass: "This works even when the file still carries the com.apple.quarantine attribute." Apple's Gatekeeper protections, designed to prevent unsigned code execution, fail to stop it.

The dropper fingerprints the system before proceeding. It identifies whether the Mac runs on Apple Silicon or Intel, derives decryption keys from CPU architecture combined with locale, keyboard layout, and timezone, then uses those keys to decrypt configuration containing the second-stage payload URL.

Geographic blocking is built in. The malware refuses to execute in Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia—a common pattern among Eastern European cybercrime operations avoiding domestic targets.

The PAM Validation Trick

The second stage is a Rust-based Mach-O binary masquerading as the Finder application. When executed, it displays a native-looking password prompt: "Maccy wants to make changes. Enter your password to allow this." The account name pre-populates automatically.

Here's where PamStealer earns its name. Instead of simply capturing whatever the user types and moving on, it validates the password against macOS's Pluggable Authentication Modules (PAM) API. Wrong password? The prompt reappears. This continues until the user provides the correct credentials—giving attackers immediate confirmation that the captured password actually works.

What Gets Stolen

Once authenticated, PamStealer harvests:

  • Web browser credentials and session cookies
  • Browsing history
  • Cryptocurrency wallet extensions
  • iCloud Keychain contents
  • Clipboard data

The stolen data is encrypted and exfiltrated to avenger-sync[.]live over HTTP.

Covering Tracks

After the payload executes and establishes persistence, users see a fake Gatekeeper error message: "Maccy is damaged and can't be opened. You should move it to the Trash." By this point, the damage is done. The persistence mechanism—an arm64 Mach-O binary disguised as macOS System Settings—ensures the malware survives reboots.

The quiet execution chain and native UI elements make detection difficult. As Xhaflaire observed, the implementation reduces traditional detection opportunities by using legitimate macOS frameworks rather than easily flagged malicious patterns.

Connecting the Dots

PamStealer continues a trend of macOS threats growing more sophisticated. We covered a similar ClickFix-based AMOS Stealer campaign last month that abused DMG mounting behaviors, and North Korean actors deploying the Gaslight backdoor through AI prompt injection in June. macOS is no longer a low-priority target.

How to Protect Yourself

  1. Download Maccy only from maccy.app - Verify the domain carefully before installing
  2. Be suspicious of password prompts - Legitimate clipboard managers don't require authentication to install
  3. Check Activity Monitor - Look for processes impersonating System Settings or Finder
  4. Review Login Items - System Settings > General > Login Items should only contain software you recognize
  5. Enable Lockdown Mode for high-risk users - Restricts functionality but hardens the attack surface significantly

If you've downloaded Maccy from anywhere other than the official site recently, assume compromise and rotate your credentials—especially for cryptocurrency wallets and iCloud.

Related Articles