• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

PamStealer Malware Verifies Stolen Mac Passwords Live

Published on: July 3, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 473 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
Cisco Confirms Active Exploits of Unified CM Flaw
Medtronic Notifies Patients of ShinyHunters Data Breach
India Orders WhatsApp to Pause Username Rollout
Barry Elad
Reviewed By
Barry Elad
Barry Elad
Founder & Senior Journalist • 736 Articles
Barry Elad is a seasoned journalist and analyst specializing in finance, technology, AI, and founder of SQ Magazine. He explores the world o...
LATEST POSTS:
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
OpenAI Proposes 5% U.S. Government Equity Stake
Meta Plans Cloud Business to Sell Excess AI Compute
Pamstealer Macos Malware Exposed
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

Jamf Threat Labs disclosed a new macOS infostealer, PamStealer, on July 2, 2026. Researcher Thijs Xhaflaire found the malware, according to Jamf, validates a stolen password through Apple’s own PAM authentication API before exfiltrating it.

Quick Summary – TLDR:

  • Jamf Threat Labs named the malware PamStealer and traced it to a fake disk image impersonating the Maccy clipboard manager app.
  • PamStealer checks a typed password locally using the PAM API (`pam_start`, `pam_authenticate`, `pam_end`) before sending it out, a quieter method than the usual `dscl` or `security` command calls.
  • The malware runs only on Apple Silicon Macs and shuts down automatically on Intel machines and in 11 listed CIS countries.
  • A fake Full Disk Access prompt appears with a delay of up to 40 minutes, per Jamf, timed so it does not line up with when the app first opened.
  • Stage two is a Rust-written Mach-O binary, a language Ars Technica called uncommon for macOS stealers, built to pull browser logins, cookies, Ethereum wallet data, clipboard contents, and keychain entries.

What Happened?

Jamf Threat Labs published the PamStealer analysis this week and reported the malware spreads through a fake disk image hosted at the domain maccyapp[.]com. The lure fits the wider pattern in our Cybersecurity Threat Data coverage: disguised-app campaigns keep resurfacing because they still convert.

The disk image mimics the real Maccy clipboard manager. Inside sits a compiled AppleScript named Maccy.scpt. It uses Greek and Cyrillic homoglyph characters (letters that look identical to Latin ones) to slip past text-based malware scanners.

🚨 PamStealer targets Mac users through fake Maccy sites.

A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.

How the attack chain works:… pic.twitter.com/EnE4wwALJI

— The Hacker News (@TheHackersNews) July 3, 2026

The infection chain needs one step most malware skips. Victims must double-click the disk image and press Command+R, an action that lets the AppleScript bypass the com.apple.quarantine attribute macOS attaches to downloaded files. The extra keystroke narrows the victim pool to users comfortable overriding macOS security prompts, the same audience most likely to hold browser-stored wallet credentials worth harvesting.

A JavaScript for Automation (JXA) payload then pulls the second stage using native NSURLSession and Objective-C calls rather than shell tools like curl, dodging the process logs endpoint tools watch. Stolen data leaves the machine for avenger-sync[.]live, encrypted with ChaCha20-Poly1305 inside a JSON envelope.

Why the PAM Trick Matters?

Most Mac stealers grab a password and ship it out without knowing whether it works. PamStealer shows a native-looking password prompt, then feeds whatever the victim types into the PAM authentication flow macOS itself uses to log users in, confirming the password before exfiltration.

That check runs inside the PAM stack instead of spawning outside utilities such as `dscl` or `security`, producing less of the process activity endpoint tools watch for. Every credential reaching PamStealer’s server has already been confirmed to unlock the account, cutting out the mistyped and outdated passwords that normally clutter a stolen-data dump.

Operators are optimizing for quality over volume: they treat validated credentials as a higher-value product than scraped data, and they quietly deny defenders the noise ratio analysts once used to gauge intrusion freshness.

Built to Run Quietly, Only Where It’s Safe

PamStealer’s second stage is an arm64 Rust Mach-O binary with no x86_64 variant, so it only executes on Apple Silicon hardware. It reads environment signals including CPU architecture, locale, keyboard layout, and timezone, then exits silently on machines configured for CIS countries including Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. Both filters look self-limiting on purpose: Apple-Silicon-only execution locks the harvest to the Mac install base most likely to carry high-value browser sessions, and the CIS exit steers operators away from jurisdictions where compromising a local machine carries a different legal risk.

TraitDetail
Stage oneCompiled AppleScript (Maccy.scpt) + JXA downloader
Stage twoarm64 Rust Mach-O, runtime-decoded strings
PersistenceSMAppService + legacy login items, marker file `.Maccy`
DisguiseFake Finder.app / Software Update.app, ad-hoc signed
Exfilavenger-sync[.]live, ChaCha20-Poly1305 encryption

Once running, the malware disguises itself as a fake Finder.app or Software Update.app with ad-hoc code signing, then persists using Apple’s modern ServiceManagement API (SMAppService) alongside legacy login items through an embedded helper binary. It tracks its own infection with a hidden marker file named `.Maccy`. The up-to-40-minute delay on the counterfeit Full Disk Access prompt fits the same design logic: by the time the alert surfaces, the victim has moved on from the install and is unlikely to connect the request to the Maccy launch that triggered it.

Together the exclusion list, Apple-Silicon build, and delayed prompt describe an operation tuned for a long runway on a curated victim pool.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

What’s Next?

Expect copycat stealers to adopt PAM-based credential checks now that the technique is public. Jamf’s write-up documents indicators including the avenger-sync[.]live domain and the `.Maccy` marker file.

Reviewing Full Disk Access grants and avoiding the Command+R override on downloaded disk images helps reduce risk. No single control eliminates exposure.

SQ Magazine’s Takeaway

Jamf’s July 2 disclosure is worth reading closely for the verification step. PamStealer runs the same authentication flow macOS uses internally, so every credential reaching its server has already unlocked an account. That step benefits attackers because it borrows a trusted system function instead of calling suspicious external commands.

The Apple-Silicon-only build and CIS-country shutdown carry the same design signal. Paired with the delayed Full Disk Access prompt, they describe a durable operation on a curated victim pool, engineered so consent and surveillance never register as related events. Defenders reading Jamf’s indicators are working from a fresher playbook than most stealer disclosures offer.

This article has been reviewed and fact-checked by Barry Elad. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • Jamf Threat Labs: PamStealer macOS infostealer analysis
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Google Fbi Disrupt Netnut Residential Proxy Network
Cybersecurity

Google, FBI Disrupt NetNut Residential Proxy Network

India Drafts Stricter Rules For Vpn Providers
Cybersecurity

India Drafts Stricter Rules for VPN Providers: Report

Microsoft Launches Frontier Company
Artificial Intelligence

Microsoft Launches Frontier Company With $2.5B Bet

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Cisco Confirms Active Exploits of Unified CM Flaw
Medtronic Notifies Patients of ShinyHunters Data Breach
India Orders WhatsApp to Pause Username Rollout

Table of Contents

  • Quick Summary – TLDR:
  • What Happened?
  • Why the PAM Trick Matters?
  • Built to Run Quietly, Only Where It’s Safe
  • What’s Next?
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
Time Spent on TikTok Statistics
Time Spent on TikTok Statistics 2026: Daily Minutes by Age
Google Workspace Statistics
Google Workspace Statistics 2026: Users, Market Share and AI
YouTube vs TikTok Statistics
YouTube vs TikTok Statistics 2026: Users, Revenue, Creator Economy
Internet Outage Statistics
Internet Outage Statistics 2026: Frequency, Cost and Causes
Upwork Statistics
Upwork Statistics 2026: Revenue, GSV, AI Work
Instagram Reels Statistics
Instagram Reels Statistics 2026: Plays and Engagement
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
AI Influencer Marketing Statistics
AI Influencer Marketing Statistics: Market Size and Engagement
AI Market Statistics
AI Market Statistics 2026: Size, Growth & Investment
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Google Fbi Disrupt Netnut Residential Proxy Network
Google, FBI Disrupt NetNut Residential Proxy Network
India Drafts Stricter Rules For Vpn Providers
India Drafts Stricter Rules for VPN Providers: Report
Cisco Confirms Active Exploits Of Unified Cm Flaw
Cisco Confirms Active Exploits of Unified CM Flaw
Medtronic Confirms Shinyhunters Data Breach
Medtronic Notifies Patients of ShinyHunters Data Breach
India Orders Whatsapp To Pause Username Rollout
India Orders WhatsApp to Pause Username Rollout
Microsoft Teams Adds Lobby Based Bot Detection
Microsoft Teams Adds Lobby-Based Bot Detection
Artificial Intelligence
Microsoft Launches Frontier Company
Microsoft Launches Frontier Company With $2.5B Bet
Openai Proposes 5 U S Government Equity Stake
OpenAI Proposes 5% U.S. Government Equity Stake
Meta Plans Cloud Business To Sell Excess Ai Compute
Meta Plans Cloud Business to Sell Excess AI Compute
Anthropic Receives Green Signal For Fable 5 And Mythos Release
Anthropic Restores Claude Fable 5 After Export Ban Lifts
Anthropic Unveils Claude Science
Anthropic Unveils Claude Science to Transform Research
Wimbledon Adopts Ibm Ai Tools
Wimbledon Debuts Advanced AI Match Features Powered by IBM
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Apple Urgently Fixes Beats Studio Buds Bug
Apple Urgently Fixes Beats Studio Buds Bug That Enabled Spying
Google Launches Android 17 With Gemini And Advanced Security
Android 17 Is Here With Powerful AI Features and Security Boosts
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.