Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

0
Medium
Published: 07/03/2026 (07/03/2026, 02:26:46 UTC)
Source: AlienVault OTX General

Description

PamStealer is a macOS infostealer malware distributed as a compiled AppleScript masquerading as a legitimate clipboard manager called Maccy. It operates in two stages: the first stage uses JavaScript for Automation with Objective-C APIs to download payloads without invoking shell commands, and the second stage is a Rust-based binary that validates stolen credentials via PAM before harvesting data. The malware steals browser data, repeatedly captures clipboard contents, and exfiltrates encrypted data using ChaCha20-Poly1305 encryption. It establishes persistence using login item APIs and tricks victims into granting Full Disk Access through fake alerts. PamStealer targets Apple silicon systems while excluding certain regions such as Commonwealth of Independent States countries. There is no known patch or vendor advisory for this malware.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/03/2026, 07:21:25 UTC

Technical Analysis

PamStealer is a two-stage macOS information stealer that begins as a compiled AppleScript impersonating the legitimate Maccy clipboard manager. The initial stage uses JavaScript for Automation combined with Objective-C APIs to stealthily download additional payloads, avoiding shell command detection. The second stage is a Rust-based Mach-O binary that validates stolen credentials through the Pluggable Authentication Module (PAM) system before harvesting sensitive information. It directly reads browser databases using an embedded SQLite library, repeatedly captures clipboard data via the pbpaste command, and exfiltrates collected data encrypted with ChaCha20-Poly1305. Persistence is achieved through both modern and legacy login item APIs, with the malware masquerading as Finder or System Settings processes. It also employs social engineering by displaying counterfeit alerts to obtain Full Disk Access permissions from victims. The malware communicates with Ethereum RPC endpoints and applies region-based exclusions, specifically avoiding Apple silicon systems in Commonwealth of Independent States countries.

Potential Impact

PamStealer can steal sensitive user credentials and browser data on macOS systems, including clipboard contents, by validating credentials through PAM and exfiltrating encrypted data. It can maintain persistence on infected systems and gain elevated access by tricking users into granting Full Disk Access. The malware's targeted exclusion of certain regions and Apple silicon systems suggests selective targeting. There is no indication of known exploits in the wild beyond this analysis.

Mitigation Recommendations

No official patch or vendor advisory is available for PamStealer. Mitigation should focus on preventing execution of unknown AppleScript files, avoiding installation of software from untrusted sources, and not granting Full Disk Access permissions to unverified applications. Monitoring for suspicious login item persistence and network connections to unusual Ethereum RPC endpoints may aid detection. Users should be cautious of clipboard manager applications and verify authenticity before installation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/"]
Adversary
null
Pulse Id
6a471de6cf9848f2ef9503c0
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainavenger-sync.live
domainapi.sync-master.online
domainmaccyapp.com
domainapi.live-updates.online

Hash

ValueDescriptionCopy
hashbae0005a0bf0d467a672600833eeed92
hashe291f991d4bd616203b291a36121dc8b0c15f509
hash06fdd1d97df1105c542ddb881d751b659d555b5522c266f6364dae9f350fcfd0
hash2b512f6c393edad89a89ecafe26cd23b71cfdd271c10522f8dba98997ebf39bb
hash36d46ac7123e0cef04f179d88e590891c7e7c64ec5a77df4512cb485e40286da
hash60df952153696d46a09774e44ca602393c6829f9e2c2ec4f95d571f9846242a8
hash96c8ad78f6ccdf83d3dcabfd33ba563f7995f7237fe825de1eefd340821abdf3
hashab3a14096851cc18a253c1cd1c25df74f2cf23eb29051784ce47f9fc318f0f22
hashbb01f3c36110d2cc31ae51c4ff2f17be19bea625755b5339680431fab98616df
hashca7f5c0668f1a871523d485e42884c3b98910117d7ca17c8b3c3b3744a936e0f
hashe8b18c420669deb8fc6f69e74146e499057c3c77436ac6ca54af37befa9ddaa5
hashf48b69e4b7fb4d53de25b4c9be8e8dbe0999c10d5306e01aa08e1761fc3dedbe
hashff20b429cb1c89e1cdb6734b00cc8cf021d2d13fd686bbc70709b3dd549285d2

Url

ValueDescriptionCopy
urlhttp://api.live-updates.online/v1
urlhttp://api.live-updates.online/v2
urlhttp://api.sync-master.online/v1
urlhttp://api.sync-master.online/v3
urlhttp://avenger-sync.live/api/sync
urlhttps://api.live-updates.online/v1
urlhttps://api.live-updates.online/v2
urlhttps://api.sync-master.online/v1
urlhttps://api.sync-master.online/v3
urlhttps://avenger-sync.live/api/sync
urlhttps://maccyapp.com

Threat ID: 6a475f7e27e9c7971933af47

Added to database: 07/03/2026, 07:06:38 UTC

Last enriched: 07/03/2026, 07:21:25 UTC

Last updated: 07/03/2026, 08:51:31 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses