In brief: PamStealer combines social engineering, native macOS functions, and Rust-based payloads to masquerade as a system process and steal passwords and clipboard contents.
Researchers from Jamf Threat Labs have discovered the infostealer PamStealer, which compromises macOS users’ credentials and browser data by disguising itself as the open-source application Maccy. The attack leverages AppleScript-based infection vectors and native macOS APIs to evade detection measures.
The infostealer PamStealer is classified by Jamf Threat Labs as a new macOS threat that specifically targets credentials and confidential information. The malware mimics the well-known open-source application Maccy, a clipboard manager for macOS.
The infection scenario begins with an AppleScript document that users are prompted to open and execute in the macOS Script Editor. The script contains instructions that entice execution of the contained code, while this is not a classical shell command. The AppleScript subsequently downloads an infostealer developed in Rust, which then permanently installs itself on the system. This mechanism leaves significantly fewer characteristic traces than conventional malware infections.
After installation, PamStealer displays a deceptively authentic macOS password prompt that resembles the operating system’s legitimate authorization request. The entered passwords are validated locally and then misused for further system operations. In parallel, the stealer collects browser cookies, browser data, and clipboard contents. In subsequent steps, the malware attempts to manipulate the user into granting Full Disk Access permissions to access protected system areas.
According to Jamf Threat Labs’ analysis, PamStealer does not employ fundamentally new attack methods, but rather combines proven techniques effectively: the use of native macOS APIs, credible deception, and the multi-stage approach result in the absence of classic security signals. Individual actions appear isolated and harmless in themselves and correspond to normal operating system behavior, which makes it difficult for security solutions to detect the attack early.
For CISOs, this means: modern macOS malware increasingly relies on stealth rather than conspicuous malicious functions. Effective defense requires context-based monitoring that not only detects individual suspicious events, but correlates the chain of multiple seemingly harmless activities to stop complex attack chains like PamStealer in time.
Source: www.it-daily.net · Published 7 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.