PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
PamStealer is a macOS infostealer malware distributed as a compiled AppleScript masquerading as a legitimate clipboard manager called Maccy. It operates in two stages: the first stage uses JavaScript for Automation with Objective-C APIs to download payloads without invoking shell commands, and the second stage is a Rust-based binary that validates stolen credentials via PAM before harvesting data. The malware steals browser data, repeatedly captures clipboard contents, and exfiltrates encrypted data using ChaCha20-Poly1305 encryption. It establishes persistence using login item APIs and tricks victims into granting Full Disk Access through fake alerts. PamStealer targets Apple silicon systems while excluding certain regions such as Commonwealth of Independent States countries. There is no known patch or vendor advisory for this malware.
AI Analysis
Technical Summary
PamStealer is a two-stage macOS information stealer that begins as a compiled AppleScript impersonating the legitimate Maccy clipboard manager. The initial stage uses JavaScript for Automation combined with Objective-C APIs to stealthily download additional payloads, avoiding shell command detection. The second stage is a Rust-based Mach-O binary that validates stolen credentials through the Pluggable Authentication Module (PAM) system before harvesting sensitive information. It directly reads browser databases using an embedded SQLite library, repeatedly captures clipboard data via the pbpaste command, and exfiltrates collected data encrypted with ChaCha20-Poly1305. Persistence is achieved through both modern and legacy login item APIs, with the malware masquerading as Finder or System Settings processes. It also employs social engineering by displaying counterfeit alerts to obtain Full Disk Access permissions from victims. The malware communicates with Ethereum RPC endpoints and applies region-based exclusions, specifically avoiding Apple silicon systems in Commonwealth of Independent States countries.
Potential Impact
PamStealer can steal sensitive user credentials and browser data on macOS systems, including clipboard contents, by validating credentials through PAM and exfiltrating encrypted data. It can maintain persistence on infected systems and gain elevated access by tricking users into granting Full Disk Access. The malware's targeted exclusion of certain regions and Apple silicon systems suggests selective targeting. There is no indication of known exploits in the wild beyond this analysis.
Mitigation Recommendations
No official patch or vendor advisory is available for PamStealer. Mitigation should focus on preventing execution of unknown AppleScript files, avoiding installation of software from untrusted sources, and not granting Full Disk Access permissions to unverified applications. Monitoring for suspicious login item persistence and network connections to unusual Ethereum RPC endpoints may aid detection. Users should be cautious of clipboard manager applications and verify authenticity before installation.
Indicators of Compromise
- domain: avenger-sync.live
- domain: api.sync-master.online
- hash: bae0005a0bf0d467a672600833eeed92
- hash: e291f991d4bd616203b291a36121dc8b0c15f509
- hash: 06fdd1d97df1105c542ddb881d751b659d555b5522c266f6364dae9f350fcfd0
- hash: 2b512f6c393edad89a89ecafe26cd23b71cfdd271c10522f8dba98997ebf39bb
- hash: 36d46ac7123e0cef04f179d88e590891c7e7c64ec5a77df4512cb485e40286da
- hash: 60df952153696d46a09774e44ca602393c6829f9e2c2ec4f95d571f9846242a8
- hash: 96c8ad78f6ccdf83d3dcabfd33ba563f7995f7237fe825de1eefd340821abdf3
- hash: ab3a14096851cc18a253c1cd1c25df74f2cf23eb29051784ce47f9fc318f0f22
- hash: bb01f3c36110d2cc31ae51c4ff2f17be19bea625755b5339680431fab98616df
- hash: ca7f5c0668f1a871523d485e42884c3b98910117d7ca17c8b3c3b3744a936e0f
- hash: e8b18c420669deb8fc6f69e74146e499057c3c77436ac6ca54af37befa9ddaa5
- hash: f48b69e4b7fb4d53de25b4c9be8e8dbe0999c10d5306e01aa08e1761fc3dedbe
- hash: ff20b429cb1c89e1cdb6734b00cc8cf021d2d13fd686bbc70709b3dd549285d2
- url: http://api.live-updates.online/v1
- url: http://api.live-updates.online/v2
- url: http://api.sync-master.online/v1
- url: http://api.sync-master.online/v3
- url: http://avenger-sync.live/api/sync
- url: https://api.live-updates.online/v1
- url: https://api.live-updates.online/v2
- url: https://api.sync-master.online/v1
- url: https://api.sync-master.online/v3
- url: https://avenger-sync.live/api/sync
- url: https://maccyapp.com
- domain: maccyapp.com
- domain: api.live-updates.online
PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
Description
PamStealer is a macOS infostealer malware distributed as a compiled AppleScript masquerading as a legitimate clipboard manager called Maccy. It operates in two stages: the first stage uses JavaScript for Automation with Objective-C APIs to download payloads without invoking shell commands, and the second stage is a Rust-based binary that validates stolen credentials via PAM before harvesting data. The malware steals browser data, repeatedly captures clipboard contents, and exfiltrates encrypted data using ChaCha20-Poly1305 encryption. It establishes persistence using login item APIs and tricks victims into granting Full Disk Access through fake alerts. PamStealer targets Apple silicon systems while excluding certain regions such as Commonwealth of Independent States countries. There is no known patch or vendor advisory for this malware.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PamStealer is a two-stage macOS information stealer that begins as a compiled AppleScript impersonating the legitimate Maccy clipboard manager. The initial stage uses JavaScript for Automation combined with Objective-C APIs to stealthily download additional payloads, avoiding shell command detection. The second stage is a Rust-based Mach-O binary that validates stolen credentials through the Pluggable Authentication Module (PAM) system before harvesting sensitive information. It directly reads browser databases using an embedded SQLite library, repeatedly captures clipboard data via the pbpaste command, and exfiltrates collected data encrypted with ChaCha20-Poly1305. Persistence is achieved through both modern and legacy login item APIs, with the malware masquerading as Finder or System Settings processes. It also employs social engineering by displaying counterfeit alerts to obtain Full Disk Access permissions from victims. The malware communicates with Ethereum RPC endpoints and applies region-based exclusions, specifically avoiding Apple silicon systems in Commonwealth of Independent States countries.
Potential Impact
PamStealer can steal sensitive user credentials and browser data on macOS systems, including clipboard contents, by validating credentials through PAM and exfiltrating encrypted data. It can maintain persistence on infected systems and gain elevated access by tricking users into granting Full Disk Access. The malware's targeted exclusion of certain regions and Apple silicon systems suggests selective targeting. There is no indication of known exploits in the wild beyond this analysis.
Mitigation Recommendations
No official patch or vendor advisory is available for PamStealer. Mitigation should focus on preventing execution of unknown AppleScript files, avoiding installation of software from untrusted sources, and not granting Full Disk Access permissions to unverified applications. Monitoring for suspicious login item persistence and network connections to unusual Ethereum RPC endpoints may aid detection. Users should be cautious of clipboard manager applications and verify authenticity before installation.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/"]
- Adversary
- null
- Pulse Id
- 6a471de6cf9848f2ef9503c0
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainavenger-sync.live | — | |
domainapi.sync-master.online | — | |
domainmaccyapp.com | — | |
domainapi.live-updates.online | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashbae0005a0bf0d467a672600833eeed92 | — | |
hashe291f991d4bd616203b291a36121dc8b0c15f509 | — | |
hash06fdd1d97df1105c542ddb881d751b659d555b5522c266f6364dae9f350fcfd0 | — | |
hash2b512f6c393edad89a89ecafe26cd23b71cfdd271c10522f8dba98997ebf39bb | — | |
hash36d46ac7123e0cef04f179d88e590891c7e7c64ec5a77df4512cb485e40286da | — | |
hash60df952153696d46a09774e44ca602393c6829f9e2c2ec4f95d571f9846242a8 | — | |
hash96c8ad78f6ccdf83d3dcabfd33ba563f7995f7237fe825de1eefd340821abdf3 | — | |
hashab3a14096851cc18a253c1cd1c25df74f2cf23eb29051784ce47f9fc318f0f22 | — | |
hashbb01f3c36110d2cc31ae51c4ff2f17be19bea625755b5339680431fab98616df | — | |
hashca7f5c0668f1a871523d485e42884c3b98910117d7ca17c8b3c3b3744a936e0f | — | |
hashe8b18c420669deb8fc6f69e74146e499057c3c77436ac6ca54af37befa9ddaa5 | — | |
hashf48b69e4b7fb4d53de25b4c9be8e8dbe0999c10d5306e01aa08e1761fc3dedbe | — | |
hashff20b429cb1c89e1cdb6734b00cc8cf021d2d13fd686bbc70709b3dd549285d2 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://api.live-updates.online/v1 | — | |
urlhttp://api.live-updates.online/v2 | — | |
urlhttp://api.sync-master.online/v1 | — | |
urlhttp://api.sync-master.online/v3 | — | |
urlhttp://avenger-sync.live/api/sync | — | |
urlhttps://api.live-updates.online/v1 | — | |
urlhttps://api.live-updates.online/v2 | — | |
urlhttps://api.sync-master.online/v1 | — | |
urlhttps://api.sync-master.online/v3 | — | |
urlhttps://avenger-sync.live/api/sync | — | |
urlhttps://maccyapp.com | — |
Threat ID: 6a475f7e27e9c7971933af47
Added to database: 07/03/2026, 07:06:38 UTC
Last enriched: 07/03/2026, 07:21:25 UTC
Last updated: 07/03/2026, 08:51:31 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.