PamStealer macOS Infostealer Uses PAM API to Verify Stolen Passwords

Jamf Threat Labs disclosed PamStealer, a Rust-based macOS infostealer that uses the PAM API to verify stolen passwords before exfiltrating credentials.
Table of Contents
    Add a header to begin generating the table of contents

    Jamf Threat Labs disclosed PamStealer, a newly identified macOS information stealer that takes its name from one of its defining technical features: it calls the macOS Pluggable Authentication Modules API to verify a victim’s login password before exfiltrating it, ensuring only confirmed working credentials reach the attacker. The malware distributes through a fake Maccy clipboard manager website and targets Apple Silicon macOS users specifically.

    PamStealer’s Two-Stage Infection Chain Starting from a Fake Maccy Site

    The infection begins at maccyapp[.]com, a domain impersonating the legitimate Maccy open-source clipboard manager hosted at maccy[.]app. Visitors who download from the fake site receive a disk image containing a compiled AppleScript file disguised as the expected clipboard tool.

    The first stage is an environment-aware fingerprinting component built into the AppleScript dropper. Before executing any malicious payload, it collects CPU architecture, locale settings, keyboard layout, and timezone data from the host. It then derives an execution key from that host profile, and only proceeds if the device meets specific criteria — in practice, verified Apple Silicon targets. Devices that fail fingerprinting receive no second stage, a technique that limits exposure of the malware’s later components to sandbox analysis and non-qualifying hosts.

    Two-Stage Delivery: AppleScript Dropper Followed by Rust Infostealer Payload

    Hosts that pass fingerprinting receive Stage 2: a Rust-based infostealer payload fetched from attacker-controlled infrastructure and decrypted in memory. The use of Rust is deliberate — compiled Rust binaries are structurally different from the Objective-C and Swift code typical in macOS software, and their internal structure is less familiar to static analysis tools tuned for Apple platform binaries.

    Once active, the Rust payload collects browser passwords and cookies, autofill data, cryptocurrency wallet files, system configuration data, and running process information. It achieves persistence through standard macOS persistence mechanisms before transmitting the collected package to attacker-controlled exfiltration infrastructure.

    PamStealer’s Novel PAM API Credential Verification Technique

    The feature that distinguishes PamStealer from other macOS stealers is its use of the macOS Pluggable Authentication Modules API to validate stolen passwords before transmitting them. When PamStealer prompts the victim for their login password — through a native-looking macOS dialog (“Maccy wants to make changes — Enter your password”) — it does not simply capture whatever text the user enters and send it to the attacker.

    Instead, it calls pam_start, pam_authenticate, and pam_end internally against the host’s own authentication system. If the victim types the wrong password, pam_authenticate returns a failure code, and PamStealer re-prompts until the victim enters the correct one. Only a password that passes PAM authentication is transmitted to the attacker.

    Why PAM Verification Gives Attackers a Confirmed Working Credential

    The consequence of this verification step is that the attacker receives only authenticated, working credentials — not guessed or mistyped passwords that would fail when used. This is a meaningful operational refinement: attacker infrastructure that receives a credential can immediately test it or sell it with higher confidence in its validity, rather than dealing with the noise of failed or partial captures.

    Traditional credential-phishing flows that simply present a fake password dialog and record whatever is typed collect a mix of correct passwords, typos, and rejected guesses. PamStealer’s PAM integration filters that output to confirmed credentials before exfiltration, improving the quality of the attacker’s take at no additional cost to the campaign.

    Maccy Developer Warning and the Scope of Potential Exposure

    PamStealer targets iCloud+ subscribers who specifically seek privacy tools — users who download clipboard managers from third-party sites have generally expressed a higher-than-average security awareness but have been undermined by a convincing impersonation of a known open-source tool. The legitimate Maccy developer has added a warning to the official maccy[.]app website and the project’s GitHub repository confirming that maccy[.]app is the only legitimate download source.

    The developer’s warning specifically states that users who downloaded from any URL other than the official site should treat their credentials as compromised. That guidance extends to login passwords, browser-stored credentials, autofill data, and cryptocurrency wallet contents — all categories captured by PamStealer’s Rust payload.

    Identifying PamStealer Exposure on Apple Silicon Macs

    Jamf Threat Labs’ disclosure includes indicators of compromise for organizations running endpoint security tools on managed Apple devices. The two-stage fingerprinting design means that detection at Stage 1 — the compiled AppleScript dropper in a disk image — is the highest-value detection opportunity, because Stage 2 only executes on qualifying hosts. Security teams should search endpoint logs for compiled .scpt files arriving inside disk images from non-App-Store sources, and for outbound network connections to attacker-controlled exfiltration infrastructure originating from newly executed Rust binaries.

    Users who downloaded from the fake Maccy site and entered their macOS login password into a dialog prompting with “Maccy wants to make changes” should rotate their Apple ID password, revoke browser session cookies, and audit cryptocurrency wallet addresses for unauthorized transactions.

    Related Posts