A team of security researchers has discovered a never-before-seen piece of macOS malware, named PamStealer, that combines several advanced techniques to infect Macs and steal credentials stealthily. The malware spreads through a disk image that masquerades as Maccy, a popular clipboard manager for Mac. Once opened, the image contains an AppleScript that, when double-clicked, opens in the macOS Script Editor with malicious code deeply buried inside the file. This quiet execution chain represents a novelty in the Mac threat landscape.
PamStealer operates in two stages. The first stage is the distribution vector via disk image and AppleScript. The second stage is an infostealer written in Rust that leverages the built-in Pluggable Authentication Modules (PAM) interface in macOS to validate the target's login password before sending it to an attacker-controlled server. The use of PAM for local password validation is particularly insidious because the malware does not just steal what it finds but verifies that the password is correct, increasing the effectiveness of the theft.
Sponsored Protocol
Two-stage infection using AppleScript and disk image
The combined use of disk images and AppleScript is common in Mac malware, but PamStealer stands out for how it blends them to achieve maximum stealth. When the user double-clicks the AppleScript file, it opens in Script Editor where the malicious code is buried deep. Most users do not examine the content of a script before running it, and even automated security tools may fail to detect the threat due to the complex code structure. Researchers noted that this obfuscation technique makes PamStealer particularly hard to spot for traditional antivirus software.
PAM module validates local password before exfiltration
The most innovative feature of PamStealer is the integration with the PAM system on macOS. PAM is a modular authentication framework that validates user credentials. The malware uses this interface to verify that the password entered by the victim is correct. If the password is invalid, the malware keeps prompting until the right one is entered. Only after this local validation does PamStealer exfiltrate the password to a remote server controlled by attackers. This approach reduces the risk of collecting wrong passwords and increases the value of stolen data.
Sponsored Protocol
Why PamStealer marks an evolution in Mac malware
The discovery of PamStealer highlights the growing effort by malicious actors to develop malware for macOS. While Macs were once considered more secure than Windows PCs, the growing Mac user base and the increasing value of personal data have attracted malware authors. PamStealer shows how credential theft techniques are becoming more sophisticated, combining deceptive distribution methods with local validation mechanisms. To protect themselves, experts recommend downloading software only from trusted sources, keeping the operating system updated, and being cautious with suspicious attachments. A useful defense tool is represented by the new security features introduced with iOS 27, which offer advanced real-time scam protection, an approach that may extend to macOS in the future. For more details, see the article iOS 27 introduces Trust Insights to detect scams in real time during calls and messages. For a full technical description, researchers have published details on Ars Technica.
Sponsored Protocol