Jamf Threat Labs uncovers PamStealer, a two-stage macOS infostealer by impersonating the Maccy clipboard app to deliver a Rust-based payload that steals data and validates passwords via PAM.
www.jamf.com
Jamf Threat Labs investigates PamStealer, a macOS infostealer disguised as the legitimate Maccy clipboard manager that uses a two-stage attack chain to silently harvest data and clipboard contents while evading detection.
Introduction
While reviewing results from our sample pipeline, Jamf Threat Labs identified a macOS infostealer distributed as a compiled AppleScript (.scpt) file impersonating “Maccy,” a legitimate open-source clipboard manager. We are tracking this malware under the name
PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it.
PamStealer is delivered in two stages. The first is a compiled AppleScript distributed inside a disk image that downloads and stages a second-stage payload. The second is a Rust-based Mach-O infostealer responsible for credential theft, browser data collection, persistence and exfiltration. The dropper is hosted on the fake domain
maccyapp[.]com, which impersonates the legitimate Maccy project.