---
title: "PamStealer Malware Verifies Stolen Mac Passwords Live"
date: 2026-07-03
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/07/pamstealer-macos-malware-exposed.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# PamStealer Malware Verifies Stolen Mac Passwords Live

Jamf Threat Labs disclosed a new macOS infostealer, PamStealer, on July 2, 2026. Researcher Thijs Xhaflaire found the malware, according to Jamf, validates a stolen password through Apple’s own PAM authentication API before exfiltrating it.

## Quick Summary – TLDR:

- Jamf Threat Labs named the malware PamStealer and traced it to a fake disk image impersonating the Maccy clipboard manager app.
- PamStealer checks a typed password locally using the PAM API (`pam\_start`, `pam\_authenticate`, `pam\_end`) before sending it out, a quieter method than the usual `dscl` or `security` command calls.
- The malware runs only on Apple Silicon Macs and shuts down automatically on Intel machines and in 11 listed CIS countries.
- A fake Full Disk Access prompt appears with a delay of up to 40 minutes, per Jamf, timed so it does not line up with when the app first opened.
- Stage two is a Rust-written Mach-O binary, a language Ars Technica called uncommon for macOS stealers, built to pull browser logins, cookies, Ethereum wallet data, clipboard contents, and keychain entries.

## What Happened?

Jamf Threat Labs published the PamStealer analysis this week and reported the malware spreads through a fake disk image hosted at the domain **maccyapp\[.\]com**. The lure fits the wider pattern in our [Cybersecurity Threat Data](https://sqmagazine.co.uk/cybersecurity-statistics/) coverage: disguised-app campaigns keep resurfacing because they still convert.

The disk image mimics the real **Maccy clipboard manage**r. Inside sits a compiled AppleScript named Maccy.scpt. It uses Greek and Cyrillic homoglyph characters (letters that look identical to Latin ones) to slip past text-based malware scanners.

> 🚨 PamStealer targets Mac users through fake Maccy sites.  
>   
> A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.  
>   
> How the attack chain works:… [pic.twitter.com/EnE4wwALJI](https://t.co/EnE4wwALJI)
> 
> — The Hacker News (@TheHackersNews) [July 3, 2026](https://x.com/TheHackersNews/status/2072954878704681217?ref_src=twsrc%5Etfw)

 The infection chain needs one step most malware skips. Victims must double-click the disk image and press **Command+R**, an action that lets the AppleScript bypass the **com.apple.quarantine** attribute macOS attaches to downloaded files. The extra keystroke narrows the victim pool to users comfortable overriding macOS security prompts, the same audience most likely to hold browser-stored wallet credentials worth harvesting.

A **JavaScript for Automation (JXA) payload** then pulls the second stage using native NSURLSession and Objective-C calls rather than shell tools like curl, dodging the process logs endpoint tools watch. Stolen data leaves the machine for avenger-sync\[.\]live, encrypted with ChaCha20-Poly1305 inside a JSON envelope.

## Why the PAM Trick Matters?

Most Mac stealers grab a password and ship it out without knowing whether it works. PamStealer shows a native-looking password prompt, then feeds whatever the victim types into the PAM authentication flow macOS itself uses to log users in, confirming the password before exfiltration.

That check runs inside the PAM stack instead of spawning outside utilities such as `**dscl**` or `**security**`, producing less of the process activity endpoint tools watch for. Every credential reaching PamStealer’s server has already been confirmed to unlock the account, cutting out the mistyped and outdated passwords that normally clutter a stolen-data dump.

Operators are optimizing for quality over volume: they treat validated credentials as a higher-value product than scraped data, and they quietly deny defenders the noise ratio analysts once used to gauge [intrusion](https://sqmagazine.co.uk/cybersecurity-attacks-statistics/) freshness.

## Built to Run Quietly, Only Where It’s Safe

PamStealer’s second stage is an arm64 Rust Mach-O binary with no x86\_64 variant, so it only executes on [Apple Silicon hardware](https://sqmagazine.co.uk/apple-intel-preliminary-chip-manufacturing-deal/). It reads environment signals including CPU architecture, locale, keyboard layout, and timezone, then exits silently on machines configured for CIS countries including Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. Both filters look self-limiting on purpose: Apple-Silicon-only execution locks the harvest to the Mac install base most likely to carry high-value browser sessions, and the CIS exit steers operators away from jurisdictions where compromising a local machine carries a different legal risk.

TraitDetail**Stage one**Compiled AppleScript (Maccy.scpt) + JXA downloader**Stage two**arm64 Rust Mach-O, runtime-decoded strings**Persistence**SMAppService + legacy login items, marker file `.Maccy`**Disguise**Fake Finder.app / Software Update.app, ad-hoc signed**Exfil**avenger-sync\[.\]live, ChaCha20-Poly1305 encryptionOnce running, the malware disguises itself as a fake Finder.app or Software Update.app with ad-hoc code signing, then persists using Apple’s modern ServiceManagement API (SMAppService) alongside legacy login items through an embedded helper binary. It tracks its own infection with a hidden marker file named `.**Maccy**`. The up-to-40-minute delay on the counterfeit Full Disk Access prompt fits the same design logic: by the time the alert surfaces, the victim has moved on from the install and is unlikely to connect the request to the Maccy launch that triggered it.

Together the exclusion list, Apple-Silicon build, and delayed prompt describe an operation tuned for a long runway on a curated victim pool.

## What’s Next?

Expect copycat stealers to adopt PAM-based credential checks now that the technique is public. Jamf’s write-up documents indicators including the avenger-sync\[.\]live domain and the `.Maccy` marker file.

Reviewing Full Disk Access grants and avoiding the Command+R override on downloaded disk images helps reduce risk. No single control eliminates exposure.

## SQ Magazine’s Takeaway

Jamf’s July 2 disclosure is worth reading closely for the verification step. **PamStealer** runs the same authentication flow macOS uses internally, so every credential reaching its server has already unlocked an account. That step benefits attackers because it borrows a trusted system function instead of calling suspicious external commands.

The Apple-Silicon-only build and CIS-country shutdown carry the same design signal. Paired with the delayed Full Disk Access prompt, they describe a durable operation on a curated victim pool, engineered so consent and surveillance never register as related events. Defenders reading Jamf’s indicators are working from a fresher playbook than most stealer disclosures offer.