PamStealer Targets Apple Silicon Macs With Advanced Credential Theft and Silent Data Exfiltration + Video

Listen to this Post

Featured Image

Introduction

Cybercriminals are continuously refining their malware to evade modern security protections, and macOS is no longer viewed as a difficult platform to compromise. As Apple strengthens built-in defenses such as Gatekeeper, attackers are responding with increasingly sophisticated techniques that rely on native macOS features instead of obvious exploits. The latest example is PamStealer, a newly identified information-stealing malware family that combines AppleScript, JavaScript for Automation, Rust, and macOS authentication mechanisms to quietly compromise victims while remaining difficult to detect. Its attack chain demonstrates how social engineering and native system functionality can work together to bypass user trust and traditional security monitoring.

PamStealer Emerges as a Sophisticated macOS Information Stealer

Security researchers have uncovered a new macOS information stealer known as PamStealer, an advanced malware family specifically engineered to steal credentials, browser information, cryptocurrency wallet data, and sensitive user files.

Researchers from Jamf Threat Labs identified the malware after discovering attackers distributing a fake version of the popular open source clipboard manager Maccy. Instead of installing the legitimate application, victims unknowingly execute a malicious AppleScript that silently prepares the full infection chain.

The malware derives its name from its unique ability to validate stolen passwords using macOS Pluggable Authentication Modules (PAM) before transmitting them to the attackers, significantly increasing the quality of stolen credentials.

Fake Maccy Website Serves as the Initial Infection Vector

Rather than exploiting software vulnerabilities, the attackers rely on convincing phishing infrastructure.

Victims are redirected to a fraudulent website designed to closely imitate the legitimate Maccy download page. Domains such as maccyapp.com are intentionally chosen because they closely resemble the official maccy.app website, making the deception difficult to notice.

Users believe they are downloading a trusted productivity application when, in reality, they receive a malicious disk image containing a compiled AppleScript.

This attack demonstrates that visual imitation remains one of the most successful malware delivery techniques despite continuous improvements in browser security.

AppleScript Hides Malicious Logic Behind Empty Code

One of the most creative aspects of PamStealer is how its AppleScript is designed.

When victims open the script, they are instructed to execute it manually by pressing ⌘ + R or clicking the Run button inside Apple’s Script Editor.

At first glance, the script appears mostly empty because the malicious commands are hidden beneath hundreds of blank lines. This simple visual trick reduces suspicion while encouraging victims to execute the hidden payload themselves.

Even more concerning is that this execution method continues to work even while Apple’s quarantine protections remain active, allowing attackers to bypass several user-facing security warnings.

Environment Fingerprinting Targets Specific Victims

PamStealer does not execute blindly.

Before downloading its second-stage malware, it carefully fingerprints the victim’s system by collecting several hardware and software characteristics.

The malware gathers information including:

CPU architecture

System locale

Keyboard layout

Time zone

Regional configuration

These values are combined into a unique fingerprint used to derive a decryption key.

Only systems that generate the correct key can successfully decrypt the malware configuration containing the download location of the second-stage payload.

This selective execution significantly complicates malware analysis because security researchers running different hardware configurations may never receive the actual payload.

Apple Silicon Macs Become the Primary Target

One of

If the malware detects an Intel-based Mac, the generated decryption key becomes invalid, preventing configuration decryption and causing the malware to terminate automatically.

By limiting infections to ARM-based Macs, the operators can better optimize malware performance while simultaneously reducing exposure during security research.

This targeting strategy highlights the growing importance of Apple Silicon within both enterprise environments and consumer systems.

Regional Filtering Helps Attackers Avoid Detection

PamStealer also avoids infecting systems located in numerous Eastern European countries.

If the detected locale, keyboard layout, or time zone matches regions such as:

Russia

Belarus

Kazakhstan

Armenia

Azerbaijan

Georgia

Moldova

Kyrgyzstan

Tajikistan

Turkmenistan

Uzbekistan

the malware exits without executing.

This geographic filtering has become increasingly common among financially motivated malware operators who attempt to avoid attracting attention from regional law enforcement agencies.

Rust-Based Payload Expands the Attack

Once environmental verification succeeds, the AppleScript downloads a second-stage Rust executable disguised as Finder.

Rust continues gaining popularity among malware developers because it produces highly portable binaries while complicating reverse engineering efforts.

The second-stage malware steals numerous categories of sensitive information, including:

Browser credentials

Saved passwords

Cookies

Cryptocurrency wallet extensions

Clipboard contents

iCloud Keychain information

System data

All collected information is encrypted before being transmitted to attacker-controlled servers using outbound HTTP communications.

Password Validation Through PAM Improves Stolen Credentials

PamStealer introduces one particularly dangerous feature rarely observed in commodity macOS malware.

Instead of simply collecting whatever password a victim enters, the malware immediately validates the password locally using the native macOS PAM authentication framework.

If the entered password is incorrect, the malware simply requests it again until the victim supplies the real system password.

This process dramatically increases the value of stolen credentials since attackers receive verified passwords instead of guessing whether they are correct.

Fake Error Message Conceals the Successful Infection

After successfully stealing the

“Maccy is damaged and can’t be opened. You should move it to the Trash.”

This message closely resembles genuine macOS Gatekeeper alerts.

Its only purpose is psychological.

Victims assume the application simply failed to install and delete the downloaded file, never realizing that the malicious payload has already completed its objectives and remains active in the background.

Persistence Mechanism Disguises Itself as System Settings

PamStealer includes another small ARM64 Mach-O binary disguised as macOS System Settings.

This additional component establishes persistence so the malware automatically launches after system reboot, allowing attackers to maintain long-term access even after the original installer disappears.

Such modular architecture demonstrates careful malware engineering rather than simple credential theft.

Developers Respond to the Growing Threat

Following the discovery,

Users are advised to download the software exclusively from the official website, as counterfeit domains continue distributing malware under the application’s trusted reputation.

The warning highlights the growing abuse of legitimate open source software brands by cybercriminals seeking higher infection rates.

Deep Analysis: Native macOS Abuse and Linux Security Commands

PamStealer demonstrates a significant shift toward abusing trusted operating system components instead of relying on exploits. By combining AppleScript, JavaScript for Automation, Objective-C APIs, Rust, and PAM authentication, attackers reduce behavioral indicators that many traditional antivirus products rely on. The malware also illustrates how environment-aware execution is becoming a standard feature in modern infostealers, making automated sandbox analysis far less effective.

From a defensive perspective, organizations should verify software origins, enforce application allow-listing, monitor outbound network traffic, and deploy endpoint detection capable of analyzing native scripting behavior rather than executable signatures alone.

Useful security commands for investigation and monitoring include:

Linux
ps aux
top
lsof -i
ss -tulpn
netstat -plant
find / -name ".scpt" 2>/dev/null
find / -name ".plist" 2>/dev/null
journalctl -xe
grep "authentication" /var/log/auth.log
sha256sum suspicious_file
file suspicious_binary
strings suspicious_binary
chmod -x suspicious_file
macOS
codesign -dv --verbose=4 suspicious_binary
spctl --assess --verbose suspicious_binary
xattr -l suspicious_binary
log show --last 24h
launchctl list
defaults read

These commands help analysts inspect running processes, startup persistence, authentication events, executable signatures, quarantine attributes, and suspicious network activity during incident response.

What Undercode Say:

PamStealer represents a new generation of macOS malware that prioritizes stealth over speed.

Unlike older macOS stealers, this malware carefully validates every stage before proceeding.

Its use of AppleScript demonstrates that native scripting remains a valuable attack vector.

The hidden code beneath blank lines is a clever social engineering technique.

Using Script Editor instead of Terminal reduces user suspicion.

The malware relies more on trust than software vulnerabilities.

Apple Silicon targeting shows attackers are adapting to changing hardware trends.

Selective execution makes malware analysis significantly harder.

Fingerprint-based encryption prevents researchers from easily obtaining payloads.

Regional filtering indicates operational planning rather than random infections.

Rust continues becoming a preferred language for malware developers.

Compiled Rust binaries complicate reverse engineering efforts.

PAM password validation is one of the most innovative features observed.

Verified credentials are considerably more valuable than guessed passwords.

The fake Gatekeeper message manipulates user psychology after compromise.

Attackers understand how users interpret macOS warnings.

Native Objective-C APIs reduce suspicious system activity.

The malware avoids noisy persistence mechanisms.

Its modular architecture allows future feature expansion.

Open source software brands remain attractive impersonation targets.

Users often trust familiar application names without verification.

Visual similarity between domains continues to fool victims.

Traditional antivirus solutions may miss native scripting behavior.

Behavioral monitoring becomes increasingly important.

Application allow-listing would significantly reduce risk.

Network monitoring remains an essential detection method.

Security awareness training is still highly effective against fake download sites.

Endpoint Detection and Response solutions are becoming necessary on macOS.

Attackers are investing more effort into Apple ecosystems.

macOS is no longer a niche target.

Enterprise Apple deployments increase attacker motivation.

Credential theft remains more profitable than destructive malware.

Cloud account access is often the ultimate objective.

Modern malware increasingly blends multiple programming languages.

Cross-platform development simplifies future malware evolution.

Stealth has become more valuable than aggressive execution.

Identity theft continues replacing traditional ransomware in many campaigns.

Organizations should monitor authentication anomalies more aggressively.

Verification of software sources remains the first line of defense.

Native operating system features can become powerful offensive tools when abused.

✅ Jamf Threat Labs publicly identified PamStealer as a new macOS information-stealing malware family targeting Apple users.

✅ The malware validates stolen passwords using macOS PAM authentication before exfiltration, making the collected credentials highly reliable.

✅ Researchers confirmed the malware abuses fake Maccy download websites, AppleScript, Rust payloads, environmental fingerprinting, and deceptive macOS error messages as part of its attack chain.

Prediction

(+1) Apple-focused malware campaigns will continue increasing as Apple Silicon adoption grows across enterprises and consumers.

(+1) Future macOS infostealers will likely expand the use of Rust, native Apple frameworks, and hardware-aware execution to evade security products.

(-1) Fake software download portals impersonating trusted open source applications will remain one of the most effective malware distribution methods until users consistently verify official download sources.

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube