BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

PamStealer Malware Targets MacOS Users, Steals Data

PamStealer macOS malware steals cryptocurrency via fake Maccy website and native validation.

  • A new macOS malware, PamStealer, is actively targeting cryptocurrency users by stealing wallet data and system passwords.
  • It spreads via a fake website impersonating the legitimate Maccy clipboard manager and uses sophisticated evasion techniques.
  • The malware validates stolen login credentials through macOS’s native authentication system (PAM) before exfiltrating data.
  • AppleScript and Rust components work together in a two-stage attack to avoid detection by security tools.
  • The developer of Maccy has issued a warning on their official GitHub page about the impersonating sites.

Cybersecurity researchers at Jamf Threat Labs have uncovered a sophisticated new malware campaign targeting macOS users, with a specific focus on stealing cryptocurrency wallet information and sensitive credentials. Dubbed PamStealer, this information stealer employs a clever multi-stage attack disguised as a popular clipboard manager application. The malware first infects systems through a lookalike website designed to mimic the legitimate Maccy app.

- Advertisement -

The initial payload is a compiled AppleScript file distributed inside a disk image. However, this script only executes if it detects a specific Apple Silicon environment and avoids systems in Eastern European countries. Once activated, it downloads a second, more powerful Rust-based binary that masquerades as the Finder app. This secondary payload is responsible for the core data theft, targeting web browsers, cryptocurrency wallet extensions, and the iCloud Keychain.

Consequently, the stealer uses native macOS prompts to trick users into revealing their system password. It then validates the entered password locally using the macOS Pluggable Authentication Modules (PAM) API before proceeding. This validation step makes the attack chain quieter and more difficult to detect than typical commodity stealers.

The captured data, including clipboard content potentially holding cryptocurrency addresses or seed phrases, is encrypted and sent to attacker-controlled servers. Meanwhile, a decoy error message appears, stating “Maccy is damaged and can’t be opened. You should move it to the Trash,” to make victims believe the initial download failed. Security researcher Thijs Xhaflaire noted that this approach remains effective even with Apple’s tightened Gatekeeper protections.

In response, Alex Rodionov, the developer of the real Maccy, has added warnings to his website and repository. He specifically cautions users against fake domains like “maccyapp[.]com” that distribute the malware. Jamf concluded that these behaviors show how macOS stealers are evolving with quieter execution chains and native implementations to bypass standard security measures.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Bitcoin Rebound Above $61K Sparks Rally: What’s Next?

The cryptocurrency market is rebounding today, with Bitcoin trading above $61,000.The rally may be...

Wealthy Americans Flee to New Zealand Amid Property Price Slump

New Zealand property prices have hit a 3-year low, creating a buying opportunity.A reported...

Trump Slams Fed, Eyes Tech, Expects SpaceX Donation

President Donald Trump characterized the Federal Reserve board as "a little bit hostile" and...

Google Degrades 2M-Device NetNut Botnet Network

Google and law enforcement have degraded the NetNut proxy network, shrinking its pool of...

Tesla Launches Three-Row Model Y L in U.S.

Tesla launched a new three-row Model Y L SUV in the U.S. and Puerto...

Must Read

14 Ways On How to Make Money with Cryptocurrency

Many people want to make money with cryptocurrency because they have heard the success stories of people who became millionaires from zero.If you...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading