Maccy: PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords

Maccy: PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords

New macOS Infostealer "PamStealer" Targets Users via Fake Maccy App

Researchers at Jamf Threat Labs have uncovered a sophisticated macOS infostealer, PamStealer, which masquerades as the legitimate open-source clipboard manager Maccy to steal credentials, browser data, and clipboard contents. The malware employs a two-stage attack chain, leveraging AppleScript, JavaScript for Automation (JXA), and a Rust-based payload to evade detection.

PamStealer spreads via a typosquatting domain (maccyapp[.]com), delivering a malicious disk image containing a compiled AppleScript file (Maccy.scpt). The lure uses homoglyphs Cyrillic and Greek characters resembling Latin letters to appear authentic while bypassing basic string-matching defenses. Victims are tricked into executing the script by pressing Command+R, triggering the embedded JXA downloader.

The malware performs device fingerprinting to generate an encryption key, checking CPU architecture, locale, keyboard layout, and time zone. It aborts execution on Intel Macs and systems with CIS-region settings (Russian, Belarusian, or Kazakh locales), suggesting the operators’ likely origin. If checks pass, it fetches a second-stage Rust-based Mach-O binary disguised as Finder.app or Software Update.app, using native macOS APIs to avoid command-line tools like curl.

PamStealer extracts credentials from browser and crypto-wallet databases via SQLite calls, accesses Keychain data dynamically through Security.framework, and captures clipboard contents using pbpaste. It employs a fake system dialog to prompt users for passwords, validating them in real time via pam_authenticate a technique that avoids typical shell-based verification methods.

For persistence, the malware uses both the SMAppService API and a legacy login item helper binary, ensuring redundant footholds. It later attempts to gain Full Disk Access via a delayed, counterfeit system alert, timed to appear up to 40 minutes post-infection to avoid suspicion.

Stolen data is exfiltrated to avenger-sync[.]live/api/sync using ChaCha20-Poly1305 encryption with runtime-generated keys. Analysis revealed connections to Ethereum RPC endpoints, hinting at potential wallet reconnaissance or resilient command-and-control infrastructure.

Key indicators include the typosquatting domain (maccyapp[.]com), the C2 domain (avenger-sync[.]live), and the fake Finder.app bundle used for the second-stage payload. The malware’s use of Rust and native macOS APIs marks a departure from more common macOS stealer languages like Swift or Go.

Source: https://cyberpress.org/pamstealer-macos-infostealer/

Maccy TPRM report: https://www.rankiteo.com/company/thehackernews

"id": "the1783081538",
"linkid": "thehackernews",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': 'Global (excluding CIS regions: Russia, '
                                    'Belarus, Kazakhstan)',
                        'type': 'Individual users, potential organizations'}],
 'attack_vector': 'Typosquatting domain, malicious disk image (DMG), social '
                  'engineering (fake app lure)',
 'data_breach': {'data_encryption': 'ChaCha20-Poly1305 encryption with '
                                    'runtime-generated keys',
                 'data_exfiltration': 'Yes (to avenger-sync[.]live/api/sync)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Browser data',
                                              'Clipboard contents',
                                              'Keychain data',
                                              'Crypto-wallet databases']},
 'description': 'Researchers at Jamf Threat Labs have uncovered a '
                'sophisticated macOS infostealer, PamStealer, which '
                'masquerades as the legitimate open-source clipboard manager '
                'Maccy to steal credentials, browser data, and clipboard '
                'contents. The malware employs a two-stage attack chain, '
                'leveraging AppleScript, JavaScript for Automation (JXA), and '
                'a Rust-based payload to evade detection.',
 'impact': {'data_compromised': 'Credentials, browser data, clipboard '
                                'contents, Keychain data, crypto-wallet '
                                'databases, personally identifiable '
                                'information',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'macOS systems (specifically non-Intel, '
                                'non-CIS region)'},
 'initial_access_broker': {'backdoors_established': 'SMAppService API, legacy '
                                                    'login item helper binary',
                           'entry_point': 'Typosquatting domain '
                                          '(maccyapp[.]com)',
                           'high_value_targets': 'Crypto-wallet users, '
                                                 'credentials'},
 'investigation_status': 'Ongoing',
 'motivation': 'Data theft, credential harvesting, potential financial gain',
 'post_incident_analysis': {'corrective_actions': ['Block known malicious '
                                                   'domains (maccyapp[.]com, '
                                                   'avenger-sync[.]live)',
                                                   'Implement endpoint '
                                                   'protection for macOS '
                                                   'systems',
                                                   'Educate users on verifying '
                                                   'software sources',
                                                   'Monitor for unusual '
                                                   'process behavior (e.g., '
                                                   'fake Finder.app)'],
                            'root_causes': ['Social engineering (fake app '
                                            'lure)',
                                            'Typosquatting domain',
                                            'Abuse of native macOS APIs '
                                            '(AppleScript, JXA, Rust-based '
                                            'payload)',
                                            'Lack of user awareness']},
 'recommendations': ['Avoid downloading software from unofficial sources',
                     'Verify domain authenticity to prevent typosquatting',
                     'Monitor for unusual system dialogs or password prompts',
                     'Use endpoint detection and response (EDR) tools to '
                     'detect native API abuse',
                     'Review Keychain and browser permissions regularly'],
 'references': [{'source': 'Jamf Threat Labs'}],
 'response': {'third_party_assistance': 'Jamf Threat Labs'},
 'title': "New macOS Infostealer 'PamStealer' Targets Users via Fake Maccy App",
 'type': 'Infostealer'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.