PamStealer Targets macOS Users via Fake Maccy Sites

Cybersecurity researchers have identified a new macOS information stealer, dubbed PamStealer, that employs sophisticated techniques to infiltrate systems and extract sensitive data. This malware masquerades as Maccy, a legitimate open-source clipboard manager, and utilizes macOS’s Pluggable Authentication Modules (PAM) to validate and capture users’ login credentials.

The attack initiates through a deceptive website, “maccyapp[.]com,” designed to mimic the authentic Maccy site, “maccy[.]app.” Unsuspecting users who download the application from this fraudulent site receive a disk image containing a compiled AppleScript file named “Maccy.scpt.” This script acts as a downloader, fetching and executing a secondary payload.

Upon execution, the AppleScript displays instructions prompting users to run it using the “⌘ + R” keyboard shortcut or by clicking the Run button in the Script Editor. This action triggers the hidden malicious code embedded within the script. Notably, this method bypasses macOS’s Gatekeeper and Terminal protections, even when the file retains the com.apple.quarantine attribute.

The script incorporates environment-aware features, ensuring execution only on Apple Silicon devices. It derives a decryption key based on system attributes such as CPU architecture, locale, keyboard layout, and time zone. If the system doesn’t match these criteria, particularly if it’s an Intel-based Mac or located in certain Eastern European countries, the script terminates, avoiding execution in sandboxed or analysis environments.

Once the checks are satisfied, the script downloads a Rust-based Mach-O binary disguised as the Finder app. This secondary payload is capable of harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The collected information is encrypted and transmitted to attacker-controlled servers over HTTP.

To gain full file system access, the stealer presents a native password prompt to the user. It captures the entered system password and validates it using the PAM API. If the validation fails, the prompt reappears until the correct password is provided, ensuring the malware obtains valid credentials.

This incident underscores the evolving sophistication of macOS-targeted malware. Users are advised to download software exclusively from official sources and remain vigilant against deceptive prompts and websites. Regular system updates and the use of reputable security software can further mitigate such threats.