Apple: PamStealer macOS Infostealer Uses PAM API to Verify Stolen Passwords

Apple: PamStealer macOS Infostealer Uses PAM API to Verify Stolen Passwords

PamStealer: A Novel macOS Info-Stealer Targeting Apple Silicon Users

Researchers at Jamf Threat Labs have uncovered PamStealer, a newly identified macOS information stealer that employs a unique credential-verification technique to ensure attackers receive only validated login passwords. The malware spreads via a fake website impersonating Maccy, a legitimate open-source clipboard manager, and specifically targets Apple Silicon Mac users.

Infection Chain & Technical Sophistication

The attack begins at maccyapp[.]com, a spoofed domain mimicking the official Maccy site (maccy[.]app). Victims who download the malicious disk image receive a compiled AppleScript file disguised as the clipboard tool. The first stage performs environment-aware fingerprinting, collecting system details such as CPU architecture, locale, and timezone. Only Apple Silicon devices that meet predefined criteria proceed to the second stage, reducing exposure to security analysis.

Stage two delivers a Rust-based infostealer, chosen for its ability to evade static analysis tools optimized for Objective-C and Swift binaries. The payload harvests browser passwords, cookies, autofill data, cryptocurrency wallet files, and system configuration details before exfiltrating them to attacker-controlled infrastructure.

PAM API Verification: A First for macOS Stealers

PamStealer’s defining feature is its use of macOS’s Pluggable Authentication Modules (PAM) API to validate stolen credentials. When prompting victims for their login password via a native-looking dialog ("Maccy wants to make changes"), the malware internally verifies the input using pam_authenticate. Only passwords that pass this check are transmitted, ensuring attackers receive confirmed working credentials unlike traditional phishing methods that capture typos or incorrect entries.

Targeted Users & Mitigation

The campaign exploits users seeking privacy tools, particularly iCloud+ subscribers who may download software from third-party sources. The legitimate Maccy developer has issued warnings on its official site and GitHub, confirming maccy[.]app as the sole trusted download source. Users who entered their password into the fake dialog are advised to rotate credentials, revoke browser sessions, and audit cryptocurrency wallets.

Jamf Threat Labs has released indicators of compromise, noting that detection at the AppleScript dropper stage is critical, as the Rust payload executes only on qualifying hosts. Security teams should monitor for compiled .scpt files in disk images from non-App Store sources and outbound connections from newly executed Rust binaries.

Source: https://dailysecurityreview.com/cyber-security/pamstealer-macos-infostealer-uses-pam-api-to-verify-stolen-passwords/

Apple TPRM report: https://www.rankiteo.com/company/appleinsider

"id": "app1783088630",
"linkid": "appleinsider",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Apple Silicon Macs '
                                              'seeking privacy tools',
                        'industry': 'Technology',
                        'name': 'Maccy (legitimate open-source clipboard '
                                'manager)',
                        'type': 'Software Tool'}],
 'attack_vector': 'Malicious Website (Typosquatting)',
 'customer_advisories': 'Users advised to rotate credentials, revoke browser '
                        'sessions, and audit wallets',
 'data_breach': {'data_exfiltration': 'Yes (to attacker-controlled '
                                      'infrastructure)',
                 'personally_identifiable_information': 'Yes (login passwords, '
                                                        'browser data)',
                 'sensitivity_of_data': 'High (PII, credentials, financial '
                                        'data)',
                 'type_of_data_compromised': ['Browser passwords',
                                              'Cookies',
                                              'Autofill data',
                                              'Cryptocurrency wallet files',
                                              'System configuration details']},
 'description': 'Researchers at Jamf Threat Labs have uncovered PamStealer, a '
                'newly identified macOS information stealer that employs a '
                "unique credential-verification technique using macOS's "
                'Pluggable Authentication Modules (PAM) API to ensure '
                'attackers receive only validated login passwords. The malware '
                'spreads via a fake website impersonating Maccy, a legitimate '
                'open-source clipboard manager, and specifically targets Apple '
                'Silicon Mac users.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to Maccy '
                                       '(legitimate tool impersonated)',
            'data_compromised': 'Browser passwords, cookies, autofill data, '
                                'cryptocurrency wallet files, system '
                                'configuration details',
            'identity_theft_risk': 'High (PII and credentials compromised)',
            'systems_affected': 'macOS (Apple Silicon devices)'},
 'initial_access_broker': {'entry_point': 'Fake website (maccyapp[.]com)',
                           'high_value_targets': 'Apple Silicon Mac users'},
 'investigation_status': 'Ongoing (IOCs released)',
 'lessons_learned': 'Importance of verifying software download sources, risks '
                    'of third-party tools, and the sophistication of '
                    'macOS-targeted malware. Detection at the AppleScript '
                    'dropper stage is critical.',
 'motivation': 'Data Theft, Credential Harvesting',
 'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
                                                  'Rust-based payloads, user '
                                                  'education on software '
                                                  'authenticity',
                            'root_causes': 'Typosquatting, fake software '
                                           'distribution, PAM API abuse for '
                                           'credential validation'},
 'recommendations': ['Rotate credentials if exposed to the fake dialog',
                     'Revoke browser sessions',
                     'Audit cryptocurrency wallets',
                     'Download software only from official sources',
                     'Monitor for compiled .scpt files and Rust binaries',
                     'Educate users on typosquatting risks'],
 'references': [{'source': 'Jamf Threat Labs'}],
 'response': {'communication_strategy': 'Legitimate Maccy developer issued '
                                        'warnings on official site and GitHub',
              'enhanced_monitoring': 'Monitor for compiled .scpt files in disk '
                                     'images and outbound connections from '
                                     'Rust binaries',
              'remediation_measures': 'Users advised to rotate credentials, '
                                      'revoke browser sessions, and audit '
                                      'cryptocurrency wallets',
              'third_party_assistance': 'Jamf Threat Labs (research and IOC '
                                        'release)'},
 'stakeholder_advisories': 'Legitimate Maccy developer warnings on official '
                           'site and GitHub',
 'title': 'PamStealer: A Novel macOS Info-Stealer Targeting Apple Silicon '
          'Users',
 'type': 'Information Stealer'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.