Cybersecurity researchers at Jamf Threat Labs have discovered a new macOS information stealer named PamStealer that uses sophisticated techniques to infect systems and steal sensitive data. The malware is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager.
PamStealer is delivered in two stages: a compiled AppleScript inside a disk image that downloads a follow-on payload, and a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration. The initial access vector is a lookalike site (maccyapp[.]com) mimicking the official Maccy site (maccy[.]app).
The AppleScript dropper includes environment-aware features that only execute on Apple Silicon Macs, avoiding sandboxed or analysis environments and systems in Eastern European countries. It uses a derived key based on CPU architecture, locale, keyboard layout, and time zone to decrypt the payload configuration.
Once executed, the Rust-based binary masquerades as the Finder app and harvests data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The stealer also serves a native password prompt that validates the entered password through the macOS Pluggable Authentication Modules (PAM) API, repeating the loop until the correct password is supplied.
After capturing the password, the malware displays a fake Gatekeeper message claiming Maccy is damaged, serving as a decoy while the payload has already run and established persistence. The captured data is encrypted and exfiltrated to attacker-controlled infrastructure (avenger-sync[.]live).
Alex Rodionov, the developer of Maccy, has added warnings on the official website and GitHub repository about fake sites distributing malware. This campaign demonstrates how commodity macOS stealers continue to evolve with quieter execution chains and native implementations that reduce traditional detection opportunities.
CVEs: CVE-2026-55200, CVE-2026-46817
Malware: PamStealer
Companies: Jamf Threat Labs
Products: Maccy
Original source: thehackernews.com