216.73.216.133

PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

· Published 03/07/2026 04:26

Export JSON

Essential information

Published
03/07/2026 04:26
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
applescript dropper browser data theft clipboard stealer credential theft fake maccy jxa downloader macos infostealer pam authentication pamstealer rust-based
Related entities
26 indicators, 15 observables, 1 malware

Description

PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

External references