Newly discovered PamStealer isn’t your typical macOS malware

by | Jul 17, 2026 | Technology

News summary produced by Claude AI

Security researchers have identified PamStealer, a previously unknown malware targeting macOS systems that incorporates multiple sophisticated techniques to evade detection while stealing user credentials. The malware operates through a two-stage infection process, with the initial component distributed via a disk image disguised as Maccy, a legitimate clipboard management application.

The first stage is compiled as AppleScript code that uses JavaScript for Automation (JXA) to retrieve and deploy the second stage payload. This approach bypasses traditional detection methods by avoiding common command-line tools and instead leveraging native Objective-C APIs. When users interact with the fake Maccy installer, they are prompted to execute commands that trigger the malicious code and circumvent macOS’s com.apple.quarantine security feature, which normally provides warnings for downloaded executables.

The second stage payload, written in Rust, distinguishes PamStealer from typical macOS credential-stealing malware. The binary is designed to run on Apple-silicon Macs and masquerades as legitimate system components such as Finder or Software Update. It encrypts command-and-control communications and deliberately delays certain system prompts, such as Full Disk Access requests, by up to forty minutes to avoid correlating its activity with the initial launch.

A particularly notable characteristic of PamStealer is its credential harvesting mechanism. Rather than using spawned processes or command-line tools to validate passwords, the malware leverages macOS’s native Pluggable Authentication Modules (PAM) interface to authenticate credentials locally. This approach generates minimal system artifacts for defenders to detect. Once the correct password is obtained, the malware displays a fake error message suggesting the installation failed, potentially deceiving users into believing nothing suspicious occurred.

Jamf researchers noted that PamStealer’s combination of techniques—including the Script Editor delivery vector, self-contained JXA downloader, Rust-based second stage, and local credential validation—reflects the ongoing evolution of macOS malware toward stealthier execution patterns that maintain compatibility with standard macOS features while reducing traditional detection opportunities.

Article Attribution | Read More at Article Source