New PamStealer Malware Uses Fake Maccy Sites to Target macOS Users

Cybersecurity researchers have discovered a new macOS information stealer named PamStealer that spreads through fake Maccy websites. The malware is disguised as the popular Maccy clipboard manager and tricks users into downloading a malicious AppleScript. Once executed, it installs a Rust-based payload designed to steal sensitive information from the infected Mac.

New PamStealer Malware Uses Fake Maccy Sites to Target macOS UsersNew PamStealer Malware Uses Fake Maccy Sites to Target macOS Users

PamStealer targets browser credentials, cryptocurrency wallet extensions, clipboard data, and iCloud Keychain information. It also displays a fake macOS password prompt and verifies the entered password using the Pluggable Authentication Modules (PAM) framework. If the password is incorrect, the malware repeatedly asks the user to enter it until the correct login credentials are captured.

Researchers found that the malware avoids analysis environments, primarily targets Apple Silicon Macs, and establishes persistence after infection. Users are advised to download Maccy only from its official website and avoid lookalike domains, as cybercriminals continue to use fake software sites to distribute advanced macOS malware.

NPAV Endpoint Security, help detect fileless malware, block malicious scripts, and protect users from credential-stealing attacks delivered through fake software downloads.