- A new macOS malware, PamStealer, is actively targeting cryptocurrency users by stealing wallet data and system passwords.
- It spreads via a fake website impersonating the legitimate Maccy clipboard manager and uses sophisticated evasion techniques.
- The malware validates stolen login credentials through macOS’s native authentication system (PAM) before exfiltrating data.
- AppleScript and Rust components work together in a two-stage attack to avoid detection by security tools.
- The developer of Maccy has issued a warning on their official GitHub page about the impersonating sites.
Cybersecurity researchers at Jamf Threat Labs have uncovered a sophisticated new malware campaign targeting macOS users, with a specific focus on stealing cryptocurrency wallet information and sensitive credentials. Dubbed PamStealer, this information stealer employs a clever multi-stage attack disguised as a popular clipboard manager application. The malware first infects systems through a lookalike website designed to mimic the legitimate Maccy app.
The initial payload is a compiled AppleScript file distributed inside a disk image. However, this script only executes if it detects a specific Apple Silicon environment and avoids systems in Eastern European countries. Once activated, it downloads a second, more powerful Rust-based binary that masquerades as the Finder app. This secondary payload is responsible for the core data theft, targeting web browsers, cryptocurrency wallet extensions, and the iCloud Keychain.
Consequently, the stealer uses native macOS prompts to trick users into revealing their system password. It then validates the entered password locally using the macOS Pluggable Authentication Modules (PAM) API before proceeding. This validation step makes the attack chain quieter and more difficult to detect than typical commodity stealers.
The captured data, including clipboard content potentially holding cryptocurrency addresses or seed phrases, is encrypted and sent to attacker-controlled servers. Meanwhile, a decoy error message appears, stating “Maccy is damaged and can’t be opened. You should move it to the Trash,” to make victims believe the initial download failed. Security researcher Thijs Xhaflaire noted that this approach remains effective even with Apple’s tightened Gatekeeper protections.
In response, Alex Rodionov, the developer of the real Maccy, has added warnings to his website and repository. He specifically cautions users against fake domains like “maccyapp[.]com” that distribute the malware. Jamf concluded that these behaviors show how macOS stealers are evolving with quieter execution chains and native implementations to bypass standard security measures.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
