PamStealer Mimics Maccy to Steal Mac Login Passwords

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Jamf Threat Labs discovered PamStealer, a new macOS info-stealer distributed via lookalike sites (maccyapp[.]com, maccyapp[.]net) impersonating the legitimate Maccy clipboard manager at maccy[.]app
- The malware uses a two-stage chain: a compiled AppleScript (.scpt) dropper inside a disk image fetches a Rust-based Mach-O payload that masquerades as Finder and registers for persistence via a fake System Settings binary
- The AppleScript dropper runs environment-aware checks, only executing on Apple Silicon Macs and terminating on Intel systems; it also blocks execution on hosts located in Eastern European countries including Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia
- The Rust-based stealer harvests browser credentials, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content, then exfiltrates the encrypted data to attacker-controlled infrastructure at avenger-sync[.]live over an outbound HTTP request
- The stealer captures the victim's system password through a native prompt and validates it locally via the macOS PAM API, looping until the correct password is entered, then shows a counterfeit 'Maccy is damaged and can't be opened' Gatekeeper message as a decoy
- Alex Rodionov, the developer of Maccy, posted warnings on the project's website and GitHub repository identifying maccyapp[.]net and maccyapp[.]com as malicious and confirming maccy[.]app as the only official site
Why it matters: PamStealer's use of macOS PAM to validate passwords locally before exfiltration means victims can't blunt the damage by entering a fake password, and the AppleScript dropper bypasses Apple's quarantine attribute entirely — a quieter execution chain that sidesteps the very Gatekeeper tightening Apple has been pushing. Mac users searching for the popular Maccy clipboard manager now face a credential-stealing trap on knockoff domains, with browser sessions, crypto wallet extensions, and iCloud Keychain data all in scope.


