Particle.news

PamStealer Verifies macOS Passwords Through PAM Before Stealing Data

Jamf says the Rust‑based Apple Silicon stealer uses host fingerprinting, fake Full Disk Access prompts, lookalike downloads to reach selected Macs.

Overview

  • Jamf Threat Labs disclosed early July that a campaign is using a fake download for the Maccy clipboard app to drop a malicious AppleScript that fetches a second‑stage payload.
  • The second stage is a Rust binary built for Apple Silicon that disguises itself as Finder or Software Update and only activates on hosts that match a derived fingerprint such as CPU type, locale, keyboard layout and time zone.
  • Before exfiltrating data the malware validates any entered login password against macOS Pluggable Authentication Modules (PAM), letting attackers confirm credentials work before expanding theft.
  • If activated, PamStealer harvests Keychain items, browser credentials, cookies, clipboard contents, wallet files and other user data, encrypts the haul and attempts to gain Full Disk Access by showing a delayed fake Finder prompt.
  • Jamf has published technical details, indicators of compromise and mitigations, has notified Apple, and warns users to download only from trusted sources, scrutinize unexpected admin or Full Disk Access prompts, and keep macOS and security tools updated.