A newly discovered macOS infostealer verifies Mac login passwords before stealing sensitive data, giving attackers immediate confirmation that compromised credentials will actually work.

Researchers at Jamf Threat Labs have documented a new macOS malware campaign built around an infostealer called PamStealer. PamStealer disguises itself as the Maccy clipboard manager and uses AppleScript alongside a Rust payload to infect Macs.

Jamf found that PamStealer verifies login passwords through Apple's Pluggable Authentication Modules before stealing additional data. Password verification sets PamStealer apart from most macOS infostealers, which typically capture whatever password a victim enters without confirming that it's valid.

The campaign begins with a fake website that closely imitates the legitimate Maccy clipboard manager. Next, the fake website delivers a malicious AppleScript application disguised as Maccy.

Once a victim opens the download, the malicious application checks the system and retrieves a second-stage Rust payload. PamStealer then establishes persistence before collecting data.

Webpage showing Download Maccy button with text describing a free, open-source clipboard manager for macOS, plus small tags listing version, macOS compatibility, Apple silicon support, license, and file sizeThe campaign begins with a fake website that closely imitates the legitimate Maccy clipboard manager

Jamf also found that PamStealer checks system characteristics, keyboard layout and regional settings before running. System, keyboard and regional checks suggest the operators configured PamStealer to execute only on systems that match their intended targets.

Password verification improves the value of stolen credentials

PamStealer's most notable feature is the way it captures login credentials. During execution, the malware displays what appears to be a legitimate macOS authorization prompt asking the user to enter a password so Maccy can make changes.

Instead of just recording whatever the victim types, PamStealer validates the password through Apple's Pluggable Authentication Modules before continuing. Jamf said PamStealer doesn't replace or bypass Apple's authentication system.

Instead, the malware abuses a legitimate macOS framework to validate credentials after convincing the victim to enter a password. Attackers can then discard invalid credentials before moving forward with the attack.

Rust payload steals browser data and establishes persistence

After validating the password, the second-stage Rust payload collects a wide range of information from the infected Mac. Jamf said PamStealer targets browser cookies, browsing history, saved credentials, SQLite databases, clipboard contents and cryptocurrency wallet data.

PamStealer also encrypts stolen information before transmitting it to command-and-control infrastructure, making network traffic more difficult to inspect.

PamStealer creates login items through both modern and legacy macOS mechanisms so it relaunches automatically after a user signs in. The malware also impersonates Finder while attempting to convince victims to grant Full Disk Access.

Full Disk Access is a permission that would significantly expand the amount of information it can access without additional prompts.

Two dark-themed code editor windows on a desktop, each showing different JavaScript code snippets with syntax highlighting, toolbar buttons at the top, and a small description area at the bottomPamStealer's most notable feature is the way it captures login credentials

Jamf said much of PamStealer's second-stage malware is written in Rust instead of AppleScript. Using Rust makes reverse engineering more difficult because many strings and code paths are resolved only while the malware is running instead of appearing directly in the compiled binary.

Native macOS features help make the attack more effective

PamStealer shows how macOS malware increasingly abuses legitimate operating system features instead of relying solely on malicious code. Jamf said Apple's authentication framework, Rust and encrypted communications work together to make the malware more difficult to analyze.

The researchers said the combination reflects the continued evolution of macOS-focused malware without relying on previously unknown vulnerabilities.

Jamf recommends downloading software only from trusted sources. The company also urges users to be skeptical of unexpected administrator password prompts and avoid unnecessary Full Disk Access requests.

Organizations using Jamf can configure Threat Prevention, Advanced Threat Controls and Web Protection to help block similar malware before it executes.

How to stay safe

PamStealer still depends on users downloading software from an untrusted source and approving multiple prompts before the malware can complete its attack. Users should download Mac apps only from trusted developers and verify website addresses before installing software.

Unexpected requests for an administrator password deserve extra scrutiny, especially when they appear during an app installation. Users should also review Full Disk Access requests carefully and grant the permission only to applications they trust.

Users should also review requests for Full Disk Access carefully and grant the permission only when it's necessary for software they trust. Keeping macOS and security software up to date can also help detect or block known malware before it compromises a system.