Full Report
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to
Analysis Summary
# Tool/Technique: PamStealer
## Overview
PamStealer is a sophisticated macOS information stealer first identified by Jamf Threat Labs. It is primarily designed to exfiltrate sensitive user data, including browser information, cryptocurrency wallets, and system credentials. Its namesake feature is its use of the macOS Pluggable Authentication Modules (PAM) API to verify the accuracy of a stolen system password in real-time before exfiltrating it.
## Technical Details
- **Type:** Malware (Information Stealer)
- **Platform:** macOS (Specifically optimized for Apple Silicon/ARM64)
- **Capabilities:** Credential validation (PAM), browser data harvesting, keychain theft, crypto-wallet siphoning, environment fingerprinting, and persistence.
- **First Seen:** July 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Fake "Maccy" website)
- **[TA0002 - Execution]**
- [T1059.002 - Command and Scripting Interpreter: AppleScript]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1140 - Deception/Social Engineering] (Fake Gatekeeper "damaged" alerts)
- [T1497 - Virtualization/Sandbox Evasion] (Geofencing and analysis environment checks)
- [T1027 - Obfuscation] (Hidden logic in AppleScript via large padding)
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- [T1555.001 - Keychain]
- [T1141 - Input Capture: Password Stealing] (Fake login prompts validated via PAM)
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Two-Stage Infection:** Uses a compiled AppleScript (.scpt) as an initial dropper to fetch a secondary, high-performance Rust-based binary.
- **Credential Validation:** Employs a unique loop that captures the user’s password via a native-looking prompt and validates it against the system's PAM API. It refuses to progress until the correct password is provided.
- **Data Harvesting:** Targets web browsers, cryptocurrency wallet extensions, iCloud Keychain, and system clipboard contents.
### Advanced Features
- **Environment Awareness:** The dropper fingerprints the host (CPU, locale, keyboard layout) to derive a decryption key. If the system is Intel-based or located in specific Eastern European regions (CIS countries), the malware terminates.
- **Gatekeeper Bypass/Social Engineering:** Executes via Script Editor to bypass certain macOS security attributes. After success, it displays a fake "App is damaged" message to trick the user into deleting the evidence.
- **Rust-Based Performance:** The second stage is written in Rust, making it cross-architecture (though optimized for ARM) and harder to signature-base detect compared to traditional scripts.
## Indicators of Compromise
- **File Names:**
- `Maccy.scpt` (Initial dropper)
- `Finder` (Malicious Mach-O binary)
- `Maccy.dmg` (Distribution image)
- **Network Indicators:**
- `maccyapp[.]com` (Phishing/Distribution)
- `avenger-sync[.]live` (Exfiltration/C2)
- **Behavioral Indicators:**
- Execution of AppleScript containing excessive white-space/padding.
- Unexpected native OS password prompts immediately following the installation of third-party software.
- Process masquerading as "Finder" or "System Settings" originating from non-standard paths.
## Associated Threat Actors
- Currently attributed to unknown threat actors focusing on macOS users and cryptocurrency assets.
## Detection Methods
- **Signature-based:** Monitoring for the specific AppleScript hash and the Rust-based Mach-O binary.
- **Behavioral detection:**
- Monitoring for non-standard processes calling the PAM API (`pam_authenticate`).
- Detection of script execution involving large amounts of hidden JavaScript for Automation (JXA).
- Monitoring for outbound connections to newly registered domains involving "sync" or "app" keywords.
## Mitigation Strategies
- **User Education:** Advise users to only download "Maccy" from the official `maccy.app` domain or reputable sources like GitHub.
- **System Hardening:** Use Managed Apple IDs and MDM profiles to restrict the execution of unsigned AppleScripts.
- **Endpoint Security:** Deploy EDR solutions capable of monitoring API calls (like PAM) and detecting environment fingerprinting behaviors in macOS.
## Related Tools/Techniques
- **Maccy:** The legitimate clipboard manager being impersonated.
- **CrateStealer / Atomic Stealer (AMOS):** Similar macOS-focused info-stealers using social engineering and DMG distribution.