Copy that: fake Maccy on the menu serves up PamStealer 🥄
Back to feed

Copy that: fake Maccy on the menu serves up PamStealer 🥄

Cybersecurity firm Jamf Threat Labs says a fraudulent copy of the open-source clipboard manager Maccy is being used to infect macOS users with a new Rust-based infostealer named PamStealer, which targets passwords and crypto wallet keys. The campaign, disclosed in a report published on Thursday, relies on a lookalike website distributing a disk image that contains a malicious AppleScript file titled Maccy.scpt. When opened, the file displays instructions telling users to run it inside Apple's Script Editor while burying the malicious payload further down the document. "We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim's login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it," Jamf Threat Labs wrote.

The malware uses JavaScript for Automation and native macOS APIs to fetch a second-stage payload without invoking common shell utilities such as curl or zsh, a design choice that limits the number of processes security tools can observe. The second stage is a Rust-based binary compiled for Apple Silicon Macs that disguises itself as Finder or Software Update. According to the report, the dropper derives an encryption key from a fingerprint of the host, including CPU architecture, locale, keyboard layout and time zone, which is then used to unlock an encrypted, integrity-checked configuration containing the payload URL and installation path.

Once installed, the malware can harvest browser credentials and Keychain data, monitor clipboard contents, establish persistence on the system and exfiltrate stolen information to a remote command-and-control server using encrypted communications. If it cannot verify that it is running on its intended target, it quietly shuts itself down. The malware also attempts to expand its access by displaying a fake Finder alert that prompts users to grant Full Disk Access, a notification that can appear up to 40 minutes after infection to reduce the chance the request is linked back to the original download. Jamf Threat Labs Director Jaron Bradley told Decrypt that attackers are increasingly purchasing Google Ad placements and running malicious ads hosted on X to lure victims, adding that "these social engineering techniques have proven to be highly successful."

Separately, blockchain analytics firm CryptoQuant reported that Bitcoin deposits to centralized exchanges spiked in the past week as $BTC fell below $60,000, reaching nearly 50,000 BTC per day, a level hit only four times so far this year. According to the firm, each previous occurrence coincided with a significant increase in price volatility, and the latest spike coincided with Bitcoin testing the $60,000 support level.

Share:
Publishercryptonewsroom.xyz
Published
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.