Ravie LakshmananJul 03, 2026Credential Theft / Cryptocurrency
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data.
The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before capturing it.
The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that’s designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.
The initial access vector for the malware is a lookalike site (“maccyapp[.]com”) that mimics Maccy (“maccy[.]app”). The AppleScript (“Maccy.scpt”) present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs.
What’s notable here is that the script, once launched via the Script Editor, displays instructions to run it using the “⌘ + R” keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.
“Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal,” security researcher Thijs Xhaflaire said. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.”
The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it’s running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path.
On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.
Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure (“avenger-sync[.]live”) over an outbound HTTP request.
Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim’s system password, and then validates the entered password by cross-checking it via the PAM API. If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied.
“Once a valid password is captured, the stealer shows a second, counterfeit alert: ‘Maccy is damaged and can’t be opened. You should move it to the Trash,’ a close copy of the genuine Gatekeeper message,” Jamf said. “This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken.”
Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence.
The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, stating, “Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. maccy.app is the only official website.”
“Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said.

