Anatomy of the
PamStealer
Malware Chain
How threat actors weaponize open-source trust, bypass Gatekeeper, and harvest macOS credentials with surgical precision.
The Maccy Application Lure & Initial Infection Vector
Threat actors continuously refine their social engineering tactics by hijacking the credibility of trusted, open-source utility applications. The PamStealer campaign, identified by Jamf Threat Labs, specifically targets macOS users by impersonating Maccy, a highly regarded clipboard manager. Instead of compromising the official supply chain, operators rely on typosquatting and malicious search engine optimization (SEO) routing to drive victims toward deceptive lookalike domains.
The official repository is isolated to maccy.app. Threat actors have weaponized domains like maccyapp[.]com and maccyapp[.]net to mirror the legitimate site perfectly. When a victim downloads from these fraudulent domains, they receive a disk image containing a compiled AppleScript (.scpt) file disguised as the Maccy installer.
This .scpt file serves as the initial dropper, hiding a self-contained JavaScript for Automation (JXA) downloader beneath massive blocks of empty code lines. By utilizing native Objective-C APIs through the JXA downloader, the operators ensure the initial staging phase avoids triggering traditional heuristic-based antivirus signatures.
Gatekeeper Evasion Through Script Editor Exploitation
Apple's macOS security model relies heavily on Gatekeeper. When a file is downloaded, macOS appends the com.apple.quarantine attribute. PamStealer bypasses this through an unconventional manual execution strategy.
Upon opening the malicious Maccy.scpt, the user is presented with the macOS Script Editor and instructed to run the script using "⌘ + R" or the Run button.
Jamf security researcher Thijs Xhaflaire highlighted that manual execution via Script Editor bypasses Gatekeeper entirely. Even with quarantine flag active, running code from inside the developer tool overrides standard restrictions.
This technique highlights a critical gap: while automated binary execution faces scrutiny, user-initiated script execution inside native developer tools remains highly privileged.
Stage One: Environmental Fingerprinting & Geofencing
🖥️ Hardware Profiling and Apple Silicon Targeting
Modern macOS malware is rarely deployed blindly. PamStealer initiates a rigorous environmental fingerprinting process immediately after AppleScript execution. The script evaluates the host's underlying hardware architecture, demanding Apple Silicon (M-series) to proceed.
The malware derives a decryption key dynamically from the system's exact fingerprint — aggregating CPU architecture, locale, keyboard layout, and time zone. This key decrypts the C2 URL and installation paths.
⚠️ If run on Intel-based Mac, the fingerprint generates an incorrect key, causing the dropper to terminate silently. This precise hardware targeting focuses exclusively on modern macOS infrastructure.
🌍 Geographic Exclusion Zones and Sandbox Detection
PamStealer checks system locale, keyboard input language, and time zone against a hardcoded list of restricted territories: Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.
This "keyboard check" is a classic indicator of malware operators operating out of the CIS region. By avoiding infections within their own jurisdictions, they reduce the risk of local law enforcement attention.
The fingerprinting also evaluates virtualization or sandboxed environments. If synthetic or matching security vendor configurations, the dropper halts. Only when geography and hardware authenticity pass does the script download the second-stage payload.
The Rust-Based Infostealer Execution
📦 Component Masquerading and Data Exfiltration Channels
Once the configuration decrypts, the JXA script fetches a Mach-O binary compiled in Rust. Rust is favored for its memory safety and cross-platform capabilities, making reverse-engineering difficult.
This second-stage payload masquerades as macOS Finder. It scrapes data from browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content.
🌐 Harvested data is encrypted and exfiltrated via HTTP to avenger-sync[.]live, blending with normal web traffic to evade network detection.
🔑 PAM Credential Validation Loops
PamStealer's defining feature is its capture and real-time verification of the macOS user's system password via the Pluggable Authentication Modules (PAM) API.
The malware presents a native system password prompt. When the victim inputs their password, it checks it against the local PAM API. If incorrect, it loops the prompt indefinitely.
⚡ This ensures only 100% verified credentials are exfiltrated, eliminating bad data and granting immediate administrative access.
Persistence Mechanisms and Deceptive Decoys
⚙️ Mach-O System Settings Impersonation
Embedded within the Rust binary is a secondary arm64 Mach-O file that ensures persistence across reboots. It impersonates macOS System Settings to avoid detection.
It registers to launch at login, operates natively on Apple Silicon for efficiency, and avoids sluggishness that could alert the user.
🎭 The "Damaged Application" Decoy Strategy
After capturing the password and establishing persistence, the malware triggers a fake alert: "Maccy is damaged and can't be opened. You should move it to the Trash."
This mimics Apple's legitimate Gatekeeper warning. The victim deletes the dropper, voluntarily removing evidence while the Rust payload remains active.
According to Jamf Threat Labs, this psychological decoy is highly effective.
Industry Implications and Developer Response
📈 The Evolution of Commodity macOS Stealers
PamStealer represents a paradigm shift in commodity macOS malware. By combining AppleScript droppers, JXA, and Rust-based payloads, operators create quiet execution chains.
The psychological manipulation of users to bypass Gatekeeper reveals that the most critical vulnerability is human, not cryptographic.
⚡ PAM API validation shows tactical maturity previously reserved for APTs. The malware market now prioritizes data quality (verified credentials) over noisy infections.
🛡️ Developer Mitigations and User Protection Protocols
Alex Rodionov, the legitimate Maccy developer, responded by placing warnings on the official site and GitHub about fraudulent domains.
Organizations must monitor for unexpected Script Editor execution patterns, enforce DNS filtering to block typosquatting domains, and deploy EDR solutions that track anomalous child processes.
Conclusion
The discovery of PamStealer exposes a calculated escalation in macOS-targeted cybercrime. By weaponizing trust in open-source utilities and exploiting native macOS features, threat actors have engineered a stealthy, efficient data harvesting operation.
The reliance on Rust and Apple Silicon profiling indicates that macOS is now a primary, lucrative target. As Apple hardens Gatekeeper, adversaries will shift focus to social engineering that manipulates users into dismantling their own security.
🔐 "The most critical vulnerability remaining in macOS is not cryptographic, but psychological."
Frequently Asked Questions
1. What is PamStealer and what does it target?
PamStealer is a macOS information stealer targeting Apple Silicon machines. It harvests data from browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard, while verifying passwords via the PAM API.
2. How does PamStealer bypass Gatekeeper?
It delivers a compiled AppleScript and instructs the user to run it from macOS Script Editor using ⌘+R. Execution inside this developer tool bypasses quarantine restrictions.
3. Why does it check time zone and keyboard layout?
To avoid analysis sandboxes and to exclude machines in Eastern European and Central Asian countries (Russia, Belarus, etc.) to evade local law enforcement scrutiny.
4. How does it verify a user's password locally?
It presents a fake system prompt, intercepts the input, and checks it against the macOS PAM API. If incorrect, it loops the prompt until the correct password is provided.
5. How are users tricked into ignoring the infection?
After harvesting credentials, it shows a fake "Maccy is damaged" alert, prompting the user to move it to Trash. The victim deletes the dropper, removing evidence while the malware persists.
Content based on Jamf research Affiliate disclosure: Some links are sponsored
0 Comments
If you have any doubts, Please let me know