**New macOS macOS information stealer discovered, target masquerading as Maccy**
Security researchers at Jamf Threat Labs have discovered a new macOS information stealing malware code named **PamStealer**. The malware uses novel techniques to infect Apple computers and steal sensitive data by masquerading as the legitimate open-source utility Maccy, a popular clipboard manager.
The malware is delivered in two stages. The initial dropper is a compiled AppleScript (.scpt) file hidden inside a disk image. It pretends to be the Maccy application. A second-stage payload is a Rust-based infostealer designed to steal credentials, browser data, and other information.
Attackers lure victims to a lookalike website (maccyapp[.]com) that mimics the official Maccy site (maccy[.]app). When the user downloads the “Maccy.scpt” file, they are instructed to run it using “⌘ + R” or by pressing the Run button in Script Editor. This technique can bypass security measures, even when the file carries the `com.apple.quarantine` attribute, which is often used to flag downloaded files.
The script is designed to only execute on Apple Silicon Macs. It performs a fingerprint of the host environment, including CPU architecture, locale, keyboard layout, and time zone. If the environment matches the attacker’s profile—excluding certain regions like Eastern Europe—the script proceeds. On Intel-based Macs, the malware simply terminates.
Once activated, the script connects to a remote server and downloads a Mach-O binary written in Rust. This binary poses as the macOS Finder application. It then harvests data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and the system clipboard. The stolen data is encrypted and exfiltrated to a command-and-control server (avenger-sync[.]live) via an HTTP request.
Before exfiltrating data, the malware attempts to validate the user’s local password. It forces the user to enter their system password and verifies it locally using the macOS Pluggable Authentication Modules (PAM) API. If the password is incorrect, the prompt repeats until the correct one is supplied. After validation, a fake alert message appears, claiming that “Maccy is damaged and can’t be opened.” This serves as a decoy to trick the user into thinking the download was corrupted while the malware has already gained persistence and collected sensitive information.
The developers of Maccy, Alex Rodionov, have warned users on their official website and GitHub repository to avoid fake websites impersonating the tool. They emphasize that maccy[.]app is the only official source.
According to Jamf, the evolution of PamStealer shows how macOS malware is becoming quieter and more native in its execution, reducing the chances of traditional detection while maintaining compatibility with standard macOS features.
***
*Original article source:* [https://www.therecord.media/macos-malware-pamstealer-maccy-impersonation/](https://www.therecord.media/macos-malware-pamstealer-maccy-impersonation/)



