HomeEverything
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
← All Stories

New macOS malware 'PamStealer' uses stealthy tradecraft

Created at 2 Jul · 7:45 PM1 source↑ Market-relevant
IN SHORT

Researchers have identified a new macOS malware, dubbed PamStealer, that employs sophisticated techniques to steal user credentials. It uses a disk image disguised as a clipboard manager and an AppleScript to deliver a payload that leverages macOS's Pluggable Authentication Modules (PAM) interface.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Who's Involved

PamStealer
new macOS malware that steals credentials
Jamf
security firm that identified the malware
New macOS malware 'PamStealer' uses stealthy tradecraft

↳ Why This Matters

This discovery highlights the evolving sophistication of macOS malware, demonstrating how attackers are adopting native system features and advanced evasion techniques to bypass traditional security measures and steal sensitive user information.

Key facts

  • A new macOS malware, PamStealer, has been identified by security researchers.
  • The malware is distributed through a disk image disguised as the Maccy clipboard manager.
  • It utilizes AppleScript and JavaScript for Automation (JXA) to download and execute its payload.
  • PamStealer leverages macOS's Pluggable Authentication Modules (PAM) to steal user login credentials.
  • The malware employs techniques to remain stealthy, including masquerading as system processes and encrypting traffic.

Researchers have uncovered a novel macOS malware, named PamStealer, that employs advanced techniques to stealthily steal user credentials. The malware's initial distribution method involves a disk image that appears to be Maccy, a popular clipboard manager for Macs. Upon execution, the malware utilizes a two-stage process.

The first stage is an AppleScript embedded within the disk image, which is designed to be opened in the macOS Script Editor. This script executes a self-contained JavaScript for Automation (JXA) downloader. This downloader retrieves the second-stage payload by using native Objective-C APIs, a method that researchers note is less common than typical shell commands.

The second stage, written in Rust, is the core credential-stealing component. It earns its name, PamStealer, by utilizing the Pluggable Authentication Modules (PAM) interface built into macOS. This allows the malware to validate a user's login password locally before transmitting it to a server controlled by the attackers.

PamStealer's stealth capabilities are enhanced by several factors. The use of both a disk image and AppleScript, combined with the JXA downloader, creates a quieter execution chain. When a user double-clicks the disk image, pressing Command-R immediately executes malicious code within the AppleScript, bypassing the com.apple.quarantine attribute that normally flags downloaded files. The malware further conceals itself by masquerading as legitimate macOS components like Finder, encrypting its communication traffic, and delaying critical prompts such as Full Disk Access requests for up to forty minutes to avoid correlating its activity with the application launch.

Frequently asked questions

PamStealer is a newly discovered malware targeting macOS. It is designed to steal user login credentials by exploiting the system's Pluggable Authentication Modules (PAM) interface.

It is distributed via a disk image that masquerades as a legitimate application, specifically the Maccy clipboard manager. The malware then uses AppleScript and JavaScript for Automation (JXA) to download its main payload.

PamStealer uses several stealth techniques, including disguising itself as system processes like Finder, encrypting its command-and-control traffic, and delaying requests for sensitive permissions like Full Disk Access.

PAM (Pluggable Authentication Modules) is used by PamStealer to validate and capture the user's login password before sending it to the attacker.

What Happens Next

01Further analysis of PamStealer's capabilities and distribution methods is ongoing.
02Security firms are developing detection and mitigation strategies for PamStealer.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

A new macOS malware named PamStealer has been discovered by researchers.
The malware is delivered via a disk image disguised as the Maccy clipboard manager.
It uses an AppleScript to execute a self-contained JavaScript for Automation (JXA) downloader.
The downloader retrieves and stages the payload using native Objective-C APIs.
The second stage, written in Rust, uses the Pluggable Authentication Modules (PAM) interface to capture login passwords.
PamStealer bypasses macOS's com.apple.quarantine attribute by using a specific key combination.
The malware masquerades as Finder, encrypts its command-and-control traffic, and delays Full Disk Access requests to evade detection.

Sources

T1
New PamStealer macOS malware uses clever tradecraft to remain stealthyvar abtest_2161799 = new ABTest(2161799, 'impression');Ars Technica

Related Stories

T-Mobile sues Broadcom over VMware support for thousands of virtual machines
1 Jul · 9:25 PM
Google disrupts NetNut proxy network used in malware operations
2 Jul · 6:11 PM
Hong Kong's Shun Hing Group hit by cyberattack, impacting 1 million people's data
2 Jul · 4:25 PM
Apple reportedly planning new iPad Pro and MacBook Pro releases early next year
2 Jul · 12:30 AM
Researchers Trick AI Models into Generating Cocaine Recipes via Prompt Injection
2 Jul · 7:40 PM