Fake Clipboard Manager Targets macOS Users with Stealthy Data Theft

PamStealer uses a Rust based binary and native macOS APIs to evade detection while stealing passwords, clipboard data, and browser credentials.

CSBadmin
2 Min Read

The Two Stage Infection Chain

A newly discovered macOS infostealer, dubbed PamStealer, masquerades as the legitimate open source clipboard manager Maccy to harvest sensitive user data. The attack begins with a malicious disk image file named Maccy.dmg containing a compiled AppleScript file. When a user opens the file, they see harmless instructions prompting them to click Run, which triggers hidden malicious code.

In the first stage, the AppleScript acts as a lightweight dropper. Rather than using common command line tools like curl or zsh, it executes a JavaScript for Automation (JXA) payload using native macOS APIs such as NSURLSession. This approach minimizes observable system activity. The script downloads a second stage payload and installs it, often masquerading as a legitimate macOS component like Finder or Software Update.

Data Harvesting and Persistence Mechanisms

The second stage payload is a Rust based Mach-O binary, which performs credential theft, clipboard monitoring, and data exfiltration. It accesses browser databases via SQLite to extract stored passwords, cookies, and wallet data. The malware also dynamically loads macOS Security frameworks to access Keychain data without exposing its capabilities during static analysis.

For persistence, PamStealer registers itself as a login item using both modern and legacy macOS APIs. It drops a helper binary disguised as System Settings and attempts to trick users into granting Full Disk Access via fake system alerts. The malware communicates with its command and control server using encrypted data, and researchers observed connections to public Ethereum RPC endpoints, suggesting blockchain infrastructure may be used for resilient command and control.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.