
Researchers have found a never-before-seen piece of macOS malware that combines a number of clever techniques to infect Macs with stealthy, custom-developed credential-stealing code.
The malware is delivered in two stages. The first is distributed in a disk image that masquerades as maccya clipboard manager for Mac. It is compiled as AppleScript and stands out for the way it delivers the second stage. The malware is called PamStealer because the information stealer written in Rust uses the pluggable authentication modules interface built into macOS to validate the target’s login password before sending it to a server controlled by the attacker.
A quieter execution chain
The use of both disk image and AppleScript is common in Mac malware. More unusual is the way PamStealer combines them to gain stealth. When AppleScript is double-clicked, it opens in the macOS Script Editor, where the malicious functionality is hidden deep in the file.
“Instead of relying on shell commands like curl or zsh, AppleScript runs a self-contained JavaScript for Automation (JXA) unloader that retrieves and organizes the payload using native Objective-C APIs,” researchers at Jamf, a security company for macOS users, wrote. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally via PAM, the result is a quieter execution chain than we typically see in basic macOS stealers.”
When a user, hoping to install a reliable clipboard manager, finds the disk image, he or she is prompted to press Command-R immediately after double-clicking it. This command executes malicious code directly within AppleScript. It also allows the run to bypass com.apple.quarantine, a macOS attribute that provides warnings and restrictions when executable files have been downloaded from the Internet.
As Jamf explained:
PamStealer combines a newly emerging delivery surface with a less familiar payload. While the .scpt decoy and clickable Script Editor builds on techniques already gaining adoption across the macOS threat landscape, the malware is distinguished by a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally via PAM before harvesting them. That second stage puts considerable effort into remaining hidden, posing as Finder, encrypting its command and control traffic, and retaining messages such as the full disk access request for up to forty minutes so that its activity does not align with startup. Together, these behaviors illustrate how macOS commodity thieves continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while still supporting standard macOS features.
The first stage places its payload inside an application package that masquerades as real components built into macOS. The component changes from one malware sample to another. Finder.app at com.apple.finder.core or com.apple.finder.monitor, and Software Update.app at com.apple.security.daemon, are two examples. In any case, they run hidden. They also display the genuine macOS Finder.icns as their icon.





