PamStealer Validates Your Mac Password Before Stealing It
Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.
Most infostealers grab whatever credentials they can find and sort out what's valid later. PamStealer takes a different approach: it asks for your password, validates it locally through macOS's authentication framework, and only then proceeds to steal everything else. If the password is wrong, it keeps asking until you get it right.
Jamf Threat Labs documented the malware on July 2, distributing through a fake website impersonating Maccy, a legitimate clipboard manager with a loyal Mac user base. The deception is convincing enough that Maccy's developer Alex Rodionov issued a warning: "Beware of fake websites impersonating Maccy. Maccy.app is the only official website."
The Two-Stage Attack Chain
PamStealer arrives as a compiled AppleScript inside a disk image, downloaded from malicious domains like maccyapp[.]com and maccyapp[.]net. The first stage operates as a JavaScript for Automation (JXA) downloader using native Objective-C APIs.
Security researcher Thijs Xhaflaire noted a critical bypass: "This works even when the file still carries the com.apple.quarantine attribute." Apple's Gatekeeper protections, designed to prevent unsigned code execution, fail to stop it.
The dropper fingerprints the system before proceeding. It identifies whether the Mac runs on Apple Silicon or Intel, derives decryption keys from CPU architecture combined with locale, keyboard layout, and timezone, then uses those keys to decrypt configuration containing the second-stage payload URL.
Geographic blocking is built in. The malware refuses to execute in Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia—a common pattern among Eastern European cybercrime operations avoiding domestic targets.
The PAM Validation Trick
The second stage is a Rust-based Mach-O binary masquerading as the Finder application. When executed, it displays a native-looking password prompt: "Maccy wants to make changes. Enter your password to allow this." The account name pre-populates automatically.
Here's where PamStealer earns its name. Instead of simply capturing whatever the user types and moving on, it validates the password against macOS's Pluggable Authentication Modules (PAM) API. Wrong password? The prompt reappears. This continues until the user provides the correct credentials—giving attackers immediate confirmation that the captured password actually works.
What Gets Stolen
Once authenticated, PamStealer harvests:
- Web browser credentials and session cookies
- Browsing history
- Cryptocurrency wallet extensions
- iCloud Keychain contents
- Clipboard data
The stolen data is encrypted and exfiltrated to avenger-sync[.]live over HTTP.
Covering Tracks
After the payload executes and establishes persistence, users see a fake Gatekeeper error message: "Maccy is damaged and can't be opened. You should move it to the Trash." By this point, the damage is done. The persistence mechanism—an arm64 Mach-O binary disguised as macOS System Settings—ensures the malware survives reboots.
The quiet execution chain and native UI elements make detection difficult. As Xhaflaire observed, the implementation reduces traditional detection opportunities by using legitimate macOS frameworks rather than easily flagged malicious patterns.
Connecting the Dots
PamStealer continues a trend of macOS threats growing more sophisticated. We covered a similar ClickFix-based AMOS Stealer campaign last month that abused DMG mounting behaviors, and North Korean actors deploying the Gaslight backdoor through AI prompt injection in June. macOS is no longer a low-priority target.
How to Protect Yourself
- Download Maccy only from maccy.app - Verify the domain carefully before installing
- Be suspicious of password prompts - Legitimate clipboard managers don't require authentication to install
- Check Activity Monitor - Look for processes impersonating System Settings or Finder
- Review Login Items - System Settings > General > Login Items should only contain software you recognize
- Enable Lockdown Mode for high-risk users - Restricts functionality but hardens the attack surface significantly
If you've downloaded Maccy from anywhere other than the official site recently, assume compromise and rotate your credentials—especially for cryptocurrency wallets and iCloud.
Related Articles
SHub Reaper Targets macOS With Fake Apple Security Updates
New macOS infostealer SHub Reaper impersonates Apple, Microsoft, and Google software to steal passwords, crypto wallets, and iCloud data. Bypasses Tahoe 26.4 mitigations.
Jun 1, 2026macOS ClickFix Gains Silent DMG Mount to Push AMOS Stealer
Unit 42 uncovers ClickFix campaign using hdiutil -nobrowse to silently mount disk images on macOS. Victims never see the DMG—just Atomic Stealer harvesting credentials.
Jun 23, 2026OnyxC2 Infostealer Targets 210 Apps, Offers Refunds If Detected
BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.
Jun 12, 2026Storm Infostealer Decrypts Stolen Credentials Server-Side to Evade Detection
New MaaS stealer ships encrypted browser data to attacker infrastructure for decryption, bypassing endpoint detection. Session hijacking with geo-matched proxies defeats MFA.
Jun 4, 2026