EXECUTIVE SUMMARY
Threat actors identified as a financially motivated cybercrime group are behind the PamStealer campaign, a macOS‐focused infostealer that masquerades as the legitimate Maccy clipboard manager. The operation uses a two‐stage delivery chain and primarily targets organizations that rely on macOS workstations, including technology firms, financial services and professional‐services firms. Campaign activity is observed worldwide but deliberately avoids Eastern European locales such as Russia, Belarus and Kazakhstan, suggesting a focus on Western markets. The attacker's objective is to harvest credentials, browser databases and clipboard contents for resale or further intrusion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors identified as a financially motivated cybercrime group are behind the PamStealer campaign, a macOS‐focused infostealer that masquerades as the legitimate Maccy clipboard manager. The operation uses a two‐stage delivery chain and primarily targets organizations that rely on macOS workstations, including technology firms, financial services and professional‐services firms. Campaign activity is observed worldwide but deliberately avoids Eastern European locales such as Russia, Belarus and Kazakhstan, suggesting a focus on Western markets. The attacker's objective is to harvest credentials, browser databases and clipboard contents for resale or further intrusion.[emaillocker id="1283"]
The dropper is delivered as a compiled AppleScript (.scpt) inside a disk image that pretends to be the Maccy app. When the victim runs the script in Script Editor, a JavaScript for Automation routine uses NSURLSession APIs to fetch a Rust‐based Mach‐O payload from a domain that mimics the project. The second‐stage binary validates the login password through the macOS PAM API, then steals keychain items, browser SQLite databases and clipboard data via pbpaste. Persistence is achieved by registering a fake Finder bundle as a login item through ServiceManagement and legacy shared‐file‐list methods, while C2 traffic is encrypted over HTTPS.
PamStealer is significant because it targets the increasingly popular macOS platform and uses native APIs that leave few traditional artifacts, making detection by signature‐based tools difficult. The combination of PAM‐validated credential capture and encrypted exfiltration reduces the chance of clear‐text evidence, while the dual persistence mechanisms keep the malware alive across reboots. Organizations should enforce strict application‐allowlisting, monitor for unexpected Script Editor network activity, and regularly audit login‐item registrations. Deploying endpoint protection that can inspect AppleScript and JXA behavior, maintaining up‐to‐date patches for macOS components, and ensuring reliable, offline backups will help mitigate impact and speed recovery.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Persistence | T1547.008 | Boot or Logon Autostart Execution | LSASS Driver |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Collection | T1115 | Clipboard Data | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/