Close Menu
    What's Hot

    Mexico vs England predicted line-ups: Sky Sports writers pick their XIs with Declan Rice, Anthony Gordon and John Stones among players debated | Football News

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    What is Nayara, the Indian firm Russia is reportedly importing oil from? | Energy News

    Facebook X (Twitter) Instagram
    Trending
    • Mexico vs England predicted line-ups: Sky Sports writers pick their XIs with Declan Rice, Anthony Gordon and John Stones among players debated | Football News
    • European Parliament Member Investigating Spyware Was Hacked With Pegasus
    • What is Nayara, the Indian firm Russia is reportedly importing oil from? | Energy News
    • Allies Converge on Iran as Funeral Ceremonies for Supreme Leader Begin
    • Microsoft Disclosure Provides Rare Glimpse of Tax Haven Tactics
    • Opinion | We Didn’t Build the Atomic Bomb This Way
    • The career edge that no algorithm can take from you
    • Opinion | Trump Ruined the Fourth of July for Me
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

    adminBy adminJuly 3, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
    Share
    Facebook Twitter LinkedIn Pinterest Email

    PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

    Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data.

    The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before capturing it.

    The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that’s designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.

    The initial access vector for the malware is a lookalike site (“maccyapp[.]com”) that mimics Maccy (“maccy[.]app”). The AppleScript (“Maccy.scpt”) present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs.

    Cybersecurity

    What’s notable here is that the script, once launched via the Script Editor, displays instructions to run it using the “⌘ + R” keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.

    “Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal,” security researcher Thijs Xhaflaire said. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.”

    The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it’s running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path.

    On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.

    Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure (“avenger-sync[.]live”) over an outbound HTTP request.

    Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim’s system password, and then validates the entered password by cross-checking it via the PAM API. If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied.

    Cybersecurity

    “Once a valid password is captured, the stealer shows a second, counterfeit alert: ‘Maccy is damaged and can’t be opened. You should move it to the Trash,’ a close copy of the genuine Gatekeeper message,” Jamf said. “This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken.”

    Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence.

    The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, stating, “Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. maccy.app is the only official website.”

    “Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said.

    checks fake Login Mac Maccy Pam PamStealer Passwords sites steal
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleIs NYC Summer Tourism Peaking With World Cup, Swift Wedding and America’s 250th?
    Next Article Thomas Tuchel’s in-game management: England coach here to make a difference in big moments – there are positive signs | Football News
    admin
    • Website

    Related Posts

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    July 3, 2026

    Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

    July 3, 2026

    Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Mexico vs England predicted line-ups: Sky Sports writers pick their XIs with Declan Rice, Anthony Gordon and John Stones among players debated | Football News

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    What is Nayara, the Indian firm Russia is reportedly importing oil from? | Energy News

    Allies Converge on Iran as Funeral Ceremonies for Supreme Leader Begin

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by