PamStealer Steals Mac Passwords Via Fake Maccy Sites

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Jamf Threat Labs discovered PamStealer, a macOS info-stealer distributed via lookalike sites maccyapp[.]com and maccyapp[.]net that impersonate the legitimate open-source clipboard manager Maccy.
- The malware uniquely validates stolen passwords locally through the macOS Pluggable Authentication Modules (PAM) API, retrying prompts until the correct login password is supplied, then exfiltrating harvested data to attacker-controlled server avenger-sync[.]live.
- Delivery uses a two-stage chain: a compiled AppleScript dropper executed via ⌘+R inside Script Editor — bypassing Gatekeeper even when the com.apple.quarantine attribute is intact — followed by a Rust-based Mach-O binary masquerading as Finder.
- PamStealer enforces environment-aware restrictions, executing only on Apple Silicon Macs and terminating on systems whose timezone, locale, and keyboard layout resolve to 12 Eastern European countries including Russia, Belarus, Georgia, Moldova, and Kazakhstan.
- After capturing a valid password, the stealer displays a counterfeit Gatekeeper alert reading "Maccy is damaged and can't be opened" as a decoy, by which point persistence and credential theft have already completed.
- Maccy developer Alex Rodionov added warnings to the official website and GitHub repository, explicitly stating that maccy.app is the only legitimate source and naming maccyapp[.]net and maccyapp[.]com as malicious distributors.
Why it matters: Mac users searching for the Maccy clipboard manager risk handing over login passwords, browser data, iCloud Keychain contents, and crypto wallet credentials to attackers, with persistence already in place by the time the fake "damaged" error appears — and the developer's official warnings arrived only after Jamf publicly disclosed the malware.



