Friday, 3 July 2026
Rīga TV

World and Latvian news in one place

TechnologyPublished: 3 July 2026 at 01:38

New macOS Malware 'PamStealer' Uses Clever Techniques to Steal Passwords Stealthily

Researchers have discovered a novel macOS malware that combines multiple clever tactics to infect Macs and steal login passwords, staying hidden by masquerading as legitimate apps and delaying suspicious prompts.

Foto: Ars Technica

Security firm Jamf researchers have discovered a new macOS malware named PamStealer. It is delivered in two stages. The first stage is a disk image masquerading as Maccy, a legitimate clipboard manager. The disk image contains an AppleScript that, when double-clicked, opens in Script Editor. The malicious code is buried deep within the file. Instead of using typical shell commands, the AppleScript uses JavaScript for Automation (JXA) to download the second stage via native Objective-C APIs. The second stage is written in Rust and is an infostealer. It uses the Pluggable Authentication Modules (PAM) interface built into macOS to locally validate the user's login password before sending it to an attacker-controlled server. PamStealer employs several stealth techniques. It bypasses the com.apple.quarantine attribute by prompting the user to press Command-R immediately after double-clicking, which executes the malicious code and avoids quarantine warnings. The second stage masquerades as legitimate system components like Finder or Software Update, using genuine Finder icons. It also encrypts command-and-control traffic and delays prompts like Full Disk Access requests for up to 40 minutes to avoid detection. This combination of techniques makes PamStealer quieter than typical macOS stealers. The malware shows how commodity macOS stealers are evolving to use native implementations and less detectable execution chains.

Comments

0/1500

Comments are automatically moderated. No hate, threats, personal data or spam.

Loading comments…

More in this category