CyberSecurityNews

PamStealer Mimic as Maccy Clipboard Manager Silently Harvest Data and Clipboard Contents


PamStealer is a newly identified macOS infostealer that disguises itself as the popular open-source clipboard manager “Maccy” while silently harvesting sensitive user data.

Discovered by Jamf Threat Labs, the malware uses a stealthy two-stage infection chain designed to evade detection and blend into normal macOS activity.

The attack begins with a malicious disk image file named “Maccy.dmg,” which contains a compiled AppleScript file (.scpt).

When opened, the file displays harmless-looking instructions prompting the user to press Run. This simple social engineering trick triggers the hidden malicious code embedded deep within the script.

In the first stage, the AppleScript acts as a lightweight dropper. Instead of relying on common command-line tools like curl or zsh, it executes a JavaScript for Automation (JXA) payload using native macOS APIs such as NSURLSession.

PamStealer Steals Maccy Clipboard Data

This approach reduces visible system activity and avoids raising suspicion. The script downloads a second-stage payload and installs it on the system, often masquerading as a legitimate macOS component, such as Finder or Software Update.

PamStealer includes environment-aware checks before executing. It generates a unique key based on system attributes such as CPU architecture, locale, and time zone.

A fake Maccy clipboard manager distributed via a disk image ( source: Jamf Threat Labs)

If the device does not match the expected profile, the malware silently exits. It also avoids systems in specific regions, including Russia and neighboring countries, by checking language settings and keyboard layouts.

The second stage is a Rust-based Mach-O binary, which is relatively uncommon in macOS malware. This infostealer performs a range of malicious activities, including credential theft, clipboard monitoring, and data exfiltration.

It accesses browser databases using SQLite to extract stored passwords, cookies, and wallet data. It also dynamically loads macOS Security frameworks to access Keychain data without exposing its capabilities during static analysis.

After capturing the password, the stealer displays a fake
After capturing the password, the stealer displays a fake “Maccy is damaged” alert to deceive the user (source: Jamf Threat Labs)

One of the most notable features of PamStealer is its password harvesting technique. The malware displays a fake system prompt asking the user to enter their password.

 It then validates the password locally using macOS Pluggable Authentication Modules (PAM), ensuring only correct credentials are captured. This method avoids suspicious system calls and reduces the number of detection opportunities.

Clipboard data is continuously monitored using the built-in pbpaste utility. The malware repeatedly collects clipboard contents at irregular intervals, potentially capturing sensitive information such as passwords, tokens, or cryptocurrency addresses.

For persistence, PamStealer registers itself as a login item using both modern and legacy macOS APIs. It also drops a helper binary disguised as “System Settings” to reinforce persistence mechanisms.

The stealer gains Full Disk Access to read protected data ( source :Jamf Threat Labs)
The stealer gains Full Disk Access to read protected data ( source: Jamf Threat Labs)

Additionally, it attempts to trick users into granting Full Disk Access via fake system alerts, thereby increasing its ability to access sensitive files.

The malware communicates with its command-and-control server at avenger-sync[.]live, sending encrypted data using ChaCha20-Poly1305 within JSON requests.

Jamf Threat Labs observed connections to public Ethereum RPC endpoints, suggesting the malware may use blockchain infrastructure for resilient command-and-control or payload retrieval.

Several indicators of compromise (IOCs) have been identified, including suspicious domains such as api. sync-master[.]online and avngr. netlify[.]app, along with file paths mimicking macOS system directories like ~/Library/Application Support/com.apple.finder.core/.

PamStealer highlights the evolving sophistication of macOS threats. By combining native APIs, Rust-based payloads, and advanced social engineering, attackers are creating quieter, more effective malware that is harder to detect with traditional methods.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link