Technology2026-07-04 · 3 min read
PamStealer Malware Targets macOS Users With Devious New Stealth Tactics
A new and unusually sophisticated strain of malware, dubbed "PamStealer," is actively targeting macOS users. Discovered by researchers at security firm Jamf Threat Labs, this…

A new and unusually sophisticated strain of malware, dubbed "PamStealer," is actively targeting macOS users. Discovered by researchers at security firm Jamf Threat Labs, this credential-stealing software employs a multi-stage attack and a bag of clever tricks to bypass macOS security features and remain hidden, posing a significant threat to unsuspecting users.
A Deceptive Disguise
The attack begins with a classic social engineering lure. The malware is distributed inside a disk image (.dmg) file that masquerades as "Maccy," a popular and legitimate open-source clipboard manager for macOS. However, instead of a standard application, the disk image contains a compiled AppleScript file.
When a user double-clicks the script, it opens in Apple's own Script Editor application. The visible portion of the script instructs the user to press Command-R to run it, a seemingly innocuous step to complete the "installation." This action, however, executes the malicious payload buried deep within the script file. This method is particularly cunning as it bypasses some of macOS's built-in Gatekeeper protections that would normally warn users about running software downloaded from the internet.
A Two-Stage Attack
PamStealer's attack is a two-stage process, designed for stealth and efficiency.
The first stage, executed by the AppleScript, uses JavaScript for Automation (JXA) to download the main payload. As noted by both Jamf and Ars Technica, the malware avoids using common command-line tools like curl for its download, instead opting for native macOS APIs. This makes the download process much quieter and less likely to be flagged by traditional security software. The dropper also checks for its execution environment, refusing to run in certain regions or if it detects it's in an analysis sandbox.
The second stage is the stealer itself: a lean binary written in the Rust programming language. This choice of language is relatively uncommon for macOS malware and helps it evade detection. Once running, this payload gets to work stealing data from browsers, accessing cryptocurrency wallets, and capturing clipboard contents.
The "Pam" in PamStealer
What gives PamStealer its name is its most inventive feature: the way it captures the user's login password. The malware presents a fake system dialog box, claiming that "Maccy wants to make changes" and asking for the user's password.
Instead of immediately sending the captured password to a remote server, it first validates it locally using macOS's built-in Pluggable Authentication Modules (PAM) interface. This is the same system component macOS uses for legitimate password verification. By using PAM, the malware can confirm it has the correct password without making any noisy external network calls or spawning suspicious processes, a technique that sets it apart from more common, cruder stealers. Only after the password has been verified does the malware exfiltrate it.
Staying Hidden
PamStealer goes to great lengths to avoid detection. It masquerades as legitimate system components like Finder or Software Update. It can also delay suspicious actions, such as requesting Full Disk Access, for up to 40 minutes after the initial infection, making it harder for users to connect the prompt to the malicious application they just installed.
For persistence, the malware registers itself as a Login Item, ensuring it runs automatically every time the user starts their Mac.
This combination of a clever delivery mechanism, quiet execution, and local password validation makes PamStealer a formidable new threat. It serves as a stark reminder that no operating system is immune to attack. Mac users should remain vigilant, only download software from the official App Store or the verified websites of trusted developers, and be suspicious of any application that asks them to run scripts or enter their password unexpectedly.
The Shadowfetch Brief
Get The Shadowfetch Brief
Stories like this — every side, one short morning email. Free.