PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
Essential information
- Published
- 03/07/2026 04:26
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- applescript dropper browser data theft clipboard stealer credential theft fake maccy jxa downloader macos infostealer pam authentication pamstealer rust-based
- Related entities
- 26 indicators, 15 observables, 1 malware
Description
PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.