Threat Advisory

Mitigate AppleScript Dropper Risks in Enterprise Environments

Threat: Malware
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors identified as a financially motivated cybercrime group are behind the PamStealer campaign, a macOS‐focused infostealer that masquerades as the legitimate Maccy clipboard manager. The operation uses a two‐stage delivery chain and primarily targets organizations that rely on macOS workstations, including technology firms, financial services and professional‐services firms. Campaign activity is observed worldwide but deliberately avoids Eastern European locales such as Russia, Belarus and Kazakhstan, suggesting a focus on Western markets. The attacker's objective is to harvest credentials, browser databases and clipboard contents for resale or further intrusion.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors identified as a financially motivated cybercrime group are behind the PamStealer campaign, a macOS‐focused infostealer that masquerades as the legitimate Maccy clipboard manager. The operation uses a two‐stage delivery chain and primarily targets organizations that rely on macOS workstations, including technology firms, financial services and professional‐services firms. Campaign activity is observed worldwide but deliberately avoids Eastern European locales such as Russia, Belarus and Kazakhstan, suggesting a focus on Western markets. The attacker's objective is to harvest credentials, browser databases and clipboard contents for resale or further intrusion.[emaillocker id="1283"]

The dropper is delivered as a compiled AppleScript (.scpt) inside a disk image that pretends to be the Maccy app. When the victim runs the script in Script Editor, a JavaScript for Automation routine uses NSURLSession APIs to fetch a Rust‐based Mach‐O payload from a domain that mimics the project. The second‐stage binary validates the login password through the macOS PAM API, then steals keychain items, browser SQLite databases and clipboard data via pbpaste. Persistence is achieved by registering a fake Finder bundle as a login item through ServiceManagement and legacy shared‐file‐list methods, while C2 traffic is encrypted over HTTPS.

PamStealer is significant because it targets the increasingly popular macOS platform and uses native APIs that leave few traditional artifacts, making detection by signature‐based tools difficult. The combination of PAM‐validated credential capture and encrypted exfiltration reduces the chance of clear‐text evidence, while the dual persistence mechanisms keep the malware alive across reboots. Organizations should enforce strict application‐allowlisting, monitor for unexpected Script Editor network activity, and regularly audit login‐item registrations. Deploying endpoint protection that can inspect AppleScript and JXA behavior, maintaining up‐to‐date patches for macOS components, and ensuring reliable, offline backups will help mitigate impact and speed recovery.

THREAT PROFILE:

 

Tactic Technique ID Technique Sub-technique
Execution T1059.007 Command and Scripting Interpreter JavaScript
Command and Control T1105 Ingress Tool Transfer
Defense Evasion T1027 Obfuscated Files or Information
Persistence T1547.008 Boot or Logon Autostart Execution LSASS Driver
Defense Evasion T1497.001 Virtualization/Sandbox Evasion System Checks
Collection T1115 Clipboard Data
Command and Control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel

REFERENCES:

reports contain further technical details:
https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/

[/emaillocker]
crossmenu