Fake Website and Two-Stage Infection
Cybersecurity researchers at Jamf Threat Labs have identified a new macOS information stealer called PamStealer. The malware is distributed through a fake website, maccyapp.com, which impersonates the legitimate Maccy clipboard manager. The initial infection vector is a disk image containing a compiled AppleScript file. When a user downloads and runs this script, it triggers a JavaScript for Automation downloader that fetches and installs the main payload. The script is designed to execute even when the file still carries the quarantine attribute, bypassing some of Apple’s Gatekeeper protections.
The first stage includes environment checks to ensure it only runs on Apple Silicon Macs. It gathers host fingerprints including CPU architecture, locale, keyboard layout, and time zone to derive a decryption key. If the key does not match, the payload is not decrypted, protecting it from analysis on Intel machines. The script also avoids execution if the system is configured for Eastern European regions including Russia, Belarus, Kazakhstan, and several neighboring countries.
Credential Capture and Data Exfiltration
The second stage is a Rust based infostealer that masquerades as the Finder application. Once granted full file system access through a user prompt, it harvests data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard contents. The malware then displays a native password prompt and validates the entered password using the macOS Pluggable Authentication Modules API. If the password is incorrect, it loops until the correct one is provided.
After capturing the password, the stealer shows a fake error message mimicking Apple’s Gatekeeper alert, claiming the application is damaged. This decoy message causes victims to delete the file while the malware has already established persistence and exfiltrated the data. The stolen information is encrypted and sent to attacker controlled servers via HTTP requests. The developer of Maccy has updated their official website and GitHub repository to warn users about these fake distribution sites.
Source: The Hacker News
