New PamStealer Malware Targets Mac Users via Fake Maccy Sites

New PamStealer Malware Targets Mac Users via Fake Maccy Sites

First seen 3 Jul 2026, 09:25 UTC AppleinsiderThehackernewsthehacker.newswww.jamf.com 88% similarity 67.5
Share:

Article Content

Browse articles
ThreatCluster

A new macOS infostealer named PamStealer has been discovered, which verifies Mac login passwords before stealing sensitive data. This malware, disguised as the Maccy clipboard manager, uses AppleScript and a Rust payload to infect Macs. It begins with a fake website mimicking Maccy, delivering a malicious application that checks system characteristics and retrieves a second-stage payload. PamStealer captures login credentials by displaying a fake macOS authorization prompt, validating passwords through Apple's Pluggable Authentication Modules. After confirming valid credentials, it collects data like browser cookies, clipboard contents, and cryptocurrency wallet information. The malware encrypts stolen data before transmitting it, complicating detection. It also establishes persistence by creating login items to relaunch automatically. Jamf Threat Labs documented this campaign, highlighting its targeted nature.

Key Points: • PamStealer verifies login credentials before data theft, enhancing its effectiveness. • The malware uses a fake Maccy clipboard manager site to initiate the attack. • It targets sensitive information including browser cookies and cryptocurrency wallets.

ThreatCluster AI

Timeline

2026-07-02
PamStealer identified by Jamf Threat Labs
Researchers documented a new macOS malware campaign using PamStealer, which verifies passwords before stealing data.
Appleinsider
2026-07-03
PamStealer reported in cybersecurity news
The Hacker News published details about PamStealer's methods, including its use of fake websites and PAM checks.
Thehackernews

Community

Browse all →