Researchers have uncovered a new strain of macOS malware called PamStealer, which uses clever tactics to bypass traditional security measures. The malware is disguised as the popular clipboard manager Maccy and spreads through a disk image that masquerades as an AppleScript. Once activated, it relies on a self-contained JavaScript for Automation (JXA) downloader to retrieve its payload, making detection more difficult.
The second stage of PamStealer employs Rust code to further obfuscate its activities, blending seamlessly with macOS’s native interfaces. It also features a sophisticated password validation workflow that ensures stolen credentials are securely sent to attackers. This method of execution is quieter than typical macOS malware and demonstrates the evolving tactics used by cybercriminals.
The malware’s first stage includes components that mimic genuine macOS elements, such as Finder.app or Software Update.app, ensuring it remains hidden from view and user suspicion. These deceptive methods show how modern malware continues to adapt and become more stealthy, making detection increasingly challenging for both users and security professionals.







