PamStealer: macOS Infostealer Distributed via Fake Maccy Sites Using PAM Password Validation — Threadlinqs Intelligence
Threat ID: TL-2026-1100 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Jamf Threat Labs identified PamStealer, a two-stage macOS infostealer distributed via the lookalike domain maccyapp[.]com impersonating the legitimate Maccy clipboard manager. A compiled AppleScript
PamStealer is a two-stage macOS credential- and cryptocurrency-theft campaign discovered by Jamf Threat Labs and corroborated by The Hacker News and multiple security outlets on 2026-07-02/03. Victims are lured to the typosquat domain maccyapp[.]com, a lookalike of the legitimate open-source clipboard manager maccy.app, and served a disk image containing a compiled AppleScript file (Maccy.scpt). Homoglyph (Greek/Cyrillic lookalike) characters are used within the on-disk 'Maccy' branding text to evade simple string-matching detection, and the victim is socially engineered to open the file in Script Editor and press Command+R to execute it.
Stage 1 is a compiled AppleScript wrapper around obfuscated JavaScript for Automation (JXA). Rather than shelling out to curl or other command-line utilities, it uses NSURLSession to download the second-stage payload, reducing the process-based telemetry defenders typically monitor. Before staging the payload it performs host-fingerprint-based encryption key derivation from CPU architecture, locale, keyboard layout, and timezone, runs anti-debugging checks and SIP status inspection, and aborts entirely on hosts whose locale, timezone, or keyboard layout indicates Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, or Georgia. The staged payload is placed inside a masqueraded system app bundle at ~/Library/Application Support/com.apple.finder.core/Finder.app and given ad-hoc code signing (codesign -fs - --deep) rather than a Developer ID signature, satisfying Gatekeeper without needing a legitimate certificate.
Stage 2 is a stripped arm64-only Mach-O binary written in Rust -- an unusual implementation language for macOS stealers, which more commonly use Swift, Go, or Objective-C. Configuration keys fail to decrypt on Intel (x86_64) hardware, causing silent termination and effectively restricting the payload to Apple Silicon. Most strings are decrypted only at runtime to blunt static analysis. The binary bundles SQLite for direct database access to browser credential, cookie, and wallet-extension stores, and loads Security.framework dynamically at runtime (rather than linking it statically) to query the macOS Keychain -- keeping that capability off the binary's static import table. Clipboard contents are harvested by spawning the pbpaste utility from the masqueraded Finder process at irregular 10-90 second intervals.
The defining behavior that gives the malware its name is its password-validation routine: before treasuring a captured login password, PamStealer displays a native NSAlert with a secure text field styled to resemble a system authorization prompt ('Maccy wants to make changes. Enter your password to allow this', with the account name pre-filled), and validates whatever the victim types entirely through the local PAM API (pam_start, pam_authenticate, pam_end) -- with no external process spawned (no dscl, security, or osascript) and no network callout. If validation fails it re-prompts until the correct password is entered, guaranteeing that only a verified, working credential is exfiltrated.
Persistence uses the modern SMAppService API for login-item registration, with a legacy fallback: a 34 KB arm64 helper binary written to /private/tmp/System Settings that uses LSSharedFileListInsertItemURL against kLSSharedFileListSessionLoginItems to add the malicious bundle to login items directly. Separately, to gain the Full Disk Access needed for broader data collection, the malware displays a counterfeit system alert styled with the Finder icon claiming 'Finder' has lost access to protected data -- deliberately delayed 10 to 40 minutes after initial launch to break the temporal link to execution. Clicking 'Open Settings' takes the user directly to the Full Disk Access pane in System Settings, where the malicious bundle appears under the legitimate-looking name 'Finder.' This is purely a social-engineering TCC-permission grab; Jamf
Target sectors: consumer, cryptocurrency, individual-users, technology
Target regions: Global (excludes Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia via built-in exclusion checks)
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, T1583, T1583, T1587, T1608, T1189, T1204, T1059, T1059, T1547, T1140