Technology

Mac infostealer verifies passwords before stealing data

PamStealer verifies – PamStealer, a new macOS infostealer tracked by Jamf Threat Labs, checks a victim’s login password through Apple’s Pluggable Authentication Modules before grabbing sensitive information—so stolen credentials aren’t wasted. It arrives disguised as the Maccy clip

A password prompt can feel routine on macOS—until it’s a lie. Jamf Threat Labs has documented a new macOS infostealer campaign. called PamStealer. that doesn’t just watch what a victim types. It verifies the password first, using Apple’s Pluggable Authentication Modules, before continuing the theft of sensitive data.

The method changes the tempo of an attack. PamStealer is built to get immediate confirmation that compromised credentials will actually work. Jamf said the malware doesn’t replace or bypass Apple’s authentication system. Instead. it convinces the user to enter a password through a prompt that appears to be a legitimate macOS authorization asking for a password so Maccy can make changes—then it validates what was entered and discards invalid credentials before moving forward.

That “check before steal” approach is what sets PamStealer apart from many macOS infostealers, which typically capture whatever password a victim enters without confirming it’s valid.

The campaign starts with impersonation. PamStealer disguises itself as the Maccy clipboard manager. but it first appears as a fake website that closely imitates the legitimate Maccy clipboard manager. The fake site delivers a malicious AppleScript application disguised as Maccy. When a victim opens the download, the malicious application checks the system, then retrieves a second-stage Rust payload.

Jamf found PamStealer doesn’t run everywhere. Before it executes, it checks system characteristics, keyboard layout, and regional settings. Those system, keyboard, and regional checks suggest the operators tuned the malware to execute only on machines matching their intended targets.

Once the Rust payload is in place, PamStealer establishes persistence before collecting data. The malware creates login items through both modern and legacy macOS mechanisms so it relaunches automatically after a user signs in. Jamf also found the malware attempts to impersonate Finder while trying to convince victims to grant Full Disk Access.

Full Disk Access is the kind of permission that expands what an application can reach across the system without additional prompts, and Jamf said it would significantly increase the amount of information PamStealer can access.

The collection itself is broad. After the password validation step. PamStealer targets browser cookies. browsing history. saved credentials. SQLite databases. clipboard contents. and cryptocurrency wallet data. Jamf said the stolen information is encrypted before it’s transmitted to command-and-control infrastructure, making network traffic harder to inspect.

Jamf Threat Labs also pointed to how the malware is built. PamStealer uses AppleScript for the initial stage and relies on a Rust payload for the second stage. Jamf said much of the second-stage malware is written in Rust instead of AppleScript. Using Rust can make reverse engineering more difficult because many strings and code paths are resolved only while the malware is running rather than appearing directly in the compiled binary.

image

There’s a bigger story inside the technique. PamStealer shows how macOS malware increasingly leans on legitimate operating system features instead of relying solely on malicious code. Jamf said the combination of Apple’s authentication framework. Rust. and encrypted communications works together to make the malware harder to analyze.

The researchers said the campaign reflects the continued evolution of macOS-focused malware without relying on previously unknown vulnerabilities.

What users can do now is starkly tied to how PamStealer gets in. Jamf recommends downloading software only from trusted sources. It also urges users to be skeptical of unexpected administrator password prompts and avoid unnecessary Full Disk Access requests. Organizations using Jamf can configure Threat Prevention. Advanced Threat Controls. and Web Protection to help block similar malware before it executes.

On the individual side. Jamf’s guidance is blunt: users should download Mac apps only from trusted developers and verify website addresses before installing software. Unexpected requests for an administrator password deserve extra scrutiny, especially when they appear during an app installation. Users should review Full Disk Access requests carefully and grant the permission only to applications they trust.

Keeping macOS and security software up to date can also help detect or block known malware before it compromises a system.

For PamStealer, the key moment isn’t the prompt itself—it’s what happens after. Jamf’s findings show an attacker designing an infostealer that first confirms a password will work. then moves quickly to harvest browser data. credentials. and wallet information with encryption and persistence quietly built into the process.

PamStealer macOS infostealer Apple Pluggable Authentication Modules Maccy clipboard manager AppleScript Rust payload Full Disk Access credential theft browser data Jamf Threat Labs cybersecurity

4 Comments

  1. So it’s basically making sure your password works before stealing anything? Sounds like even malware has a tryout phase lol.

  2. Wait, isn’t Maccy just a clipboard thing? How does a clipboard app even get to my login password prompt… this article lost me.

  3. Apple needs to patch this because they’re still letting apps call prompts. If it uses Pluggable Authentication Modules then it’s like Apple doing the verifying, not the hacker. Unless Apple is the one tricked? Idk.

  4. Fake Maccy website + AppleScript + Rust payload… so it downloads like a normal clip manager and then just grabs stuff? also why does it only run on certain keyboard/region settings, like it can tell where you live??

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha


Secret Link