PamStealer macOS malware validates stolen passwords via system auth before exfiltrating
A newly identified macOS infostealer called PamStealer disguises itself as the legitimate clipboard manager Maccy, tricking users into entering their system password through a fake authorization prompt. Unlike most infostealers, it verifies the entered password against macOS's Pluggable Authentication Modules (PAM) stack to confirm it is genuine before storing it. The malware is delivered via a lookalike domain as a compiled AppleScript on a disk image, using native macOS APIs instead of shell commands to evade common process-based detection tools. Written in Rust and targeting arm64 Macs, it dynamically loads security frameworks at runtime to hide keychain-access capabilities from static analysis, while encrypting stolen data with ChaCha20-Poly1305 before transmission. Researchers at Jamf and ManageEngine independently documented the campaign, noting that configuration values rotate between samples but core behavior remains consistent, suggesting an automated builder.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in