PamStealer, the Mac malware that first verifies the stolen password and then uses it
Overview
Jamf Threat Labs has identified PamStealer, a new infostealer for macOS that stands out for an unusual detail: before exfiltrating the stolen login password, it verifies it through the system's PAM APIs, ensuring that only actually valid credentials are transmitted. The discovery, authored by researcher Thijs Xhaflaire, is described in a technical analysis published on the Jamf Threat Labs blog.
Distribution Vector
The distribution vector is a spoofing site, maccyapp[.]com, which mimics the appearance of the legitimate Maccy, an open-source clipboard manager for macOS whose official domain is maccy.app. From there, the victim downloads a disk image containing the first stage of the infection, a compiled AppleScript file (.scpt).
A Dropper Designed to Leave No Trace
The .scpt file opens in Script Editor and shows instructions prompting the user to press ⌘+R to execute it: this combination runs the malicious code hidden at the bottom of the file, bypassing the com.apple.quarantine attribute that would otherwise trigger Gatekeeper checks. The subsequent downloader, written in JXA (JavaScript for Automation), downloads and prepares the payload using native Objective-C APIs like NSURLSession, avoiding shell commands such as curl or zsh and thus reducing visible process artifacts to defense systems.
Environment Fingerprinting
Before proceeding, the dropper performs environment fingerprinting: it derives an encryption key from the CPU architecture, system language, keyboard layout, and the host's time zone. The encrypted configuration, which contains the URL for the actual payload and the installation path, only unlocks on Apple Silicon; on an Intel Mac, the resulting key is different, and the dropper stops without doing anything. This check also excludes systems with time zones, languages, or keyboards associated with Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.
Masquerading as Finder
Once these checks are passed, the second stage, a Mach-O arm64 binary written in Rust, installs in ~/Library/Application Support/com.apple.finder.core/Finder.app, uses the authentic Finder icon, and remains hidden, with no windows or presence in the Dock.
It is here that the feature giving the malware its name appears: PamStealer displays a native system prompt asking for the login password and validates it through the pam_start, pam_authenticate, and pam_end functions of macOS PAM. If the password entered is wrong, the prompt reappears until the victim types the correct one. According to Jamf, the entire verification occurs via the API, without relying on external processes like dscl, security, or osascript: a choice that makes the routine quieter compared to most commodity infostealers for macOS. Once the valid password is obtained, the malware shows a fake alert mimicking Gatekeeper, "'Maccy' is damaged and can't be opened. You should move it to the Trash", to convince the victim that the download was simply corrupted while the payload is already running, and the password has already been exfiltrated.
Data Theft, Persistence, and C2 Infrastructure
The second stage steals browser credentials and cookies, SQLite databases, clipboard content (captured with pbpaste at irregular intervals), crypto wallet extensions, and the iCloud Keychain. The data is encrypted with ChaCha20-Poly1305 and sent via HTTP POST to the command and control infrastructure avenger-sync[.]live, hidden behind Cloudflare; the encryption keys are derived at runtime and are never written to disk.
To extend access, the malware attempts to gain Full Disk Access permissions with a fake system alert, also using the Finder icon, suggesting to open the corresponding section in Settings: the request appears with a delay of up to 40 minutes from launch, to avoid raising suspicions. Persistence relies on two parallel mechanisms, SMAppService and the older LSSharedFileListInsertItemURL, the latter implemented by a small arm64 helper of about 34 KB embedded within the Rust binary, which writes itself to /private/tmp/System Settings impersonating the System Preferences.
Among the most curious details found by Jamf in the decrypted C2 configuration, internally named "avenger-config-v2", are two public Ethereum JSON-RPC endpoints (eth.drpc.org and ethereum-rpc.publicnode[.]com), to which the fake Finder process is actually connecting. The precise purpose, whether a resilient blockchain-based C2 channel or a form of reconnaissance on the victim's wallets, remains unconfirmed in available sources. Another anti-analysis measure concerns the bait text in the .scpt file, which uses Greek and Cyrillic characters visually identical to the Latin ones in the word "Maccy" to hinder automatic recognition of the decoy content.
Alex Rodionov, the developer of Maccy, has added warnings on the official site and on GitHub to alert users. Analyses confirm that the execution chain of PamStealer mainly aims to stay silent, avoiding any command that could trigger an alert.