Overview
- Jamf Threat Labs disclosed PamStealer on Thursday after finding disk images on fake Maccy websites that drop a Maccy.scpt AppleScript to start the infection chain.
- The AppleScript uses a JavaScript for Automation downloader and native Objective-C calls to stage a Rust second-stage payload that runs hidden and establishes persistence.
- PamStealer displays a legitimate-looking macOS authorization prompt, validates the entered login password through Pluggable Authentication Modules, and only proceeds with valid credentials.
- After validation the Rust payload collects browser cookies, saved credentials, history, clipboard contents, SQLite databases and crypto wallet data, encrypts it and sends it to attacker servers.
- Researchers and the Maccy developer advise downloading Maccy only from maccy.app or its GitHub, treating unexpected admin prompts and Full Disk Access requests with suspicion, and using endpoint controls to block the threat.