HeadlinesBriefing favicon HeadlinesBriefing.com

PamStealer Malware Targets macOS Users With Password Verification Before Data Theft

AppleInsider •
×

Security researchers at Jamf Threat Labs have uncovered PamStealer, a new macOS infostealer that validates login passwords before exfiltrating sensitive data. Unlike typical malware that captures any entered credentials, PamStealer confirms passwords work through Apple's Pluggable Authentication Modules, allowing attackers to immediately use verified accounts.

The campaign begins on a fake website mimicking the legitimate Maccy clipboard manager. Victims download what appears to be Maccy but receive a malicious AppleScript application that deploys a second-stage Rust payload. PamStealer checks system characteristics, keyboard layout, and regional settings before execution, suggesting targeted deployment rather than widespread infection.

PamStealer collects browser cookies, history, saved credentials, SQLite databases, clipboard contents, and cryptocurrency wallet data. It encrypts stolen information before transmission and establishes persistence through login items. The malware impersonates Finder to trick users into granting Full Disk Access, significantly expanding its reach within compromised systems.

Written primarily in Rust, PamStealer makes reverse engineering more difficult than typical AppleScript malware. The attack abuses legitimate macOS frameworks rather than exploiting unknown vulnerabilities. Jamf recommends downloading software only from trusted sources and scrutinizing unexpected administrator password prompts to avoid infection.