PamStealer Malware Targets macOS Users via Fake Maccy Clipboard App
New PamStealer Malware Targets macOS Users via Fake Maccy Clipboard App A newly identified threat known as PamStealer is being distributed through a counterfeit Maccy clipboard application, designed to extract sensitive data from macOS systems.
Attack Chain Details
The malware leverages a deceptive delivery method involving a disk image containing a compiled AppleScript file, which tricks users into executing malicious code. The attack chain begins with a disk image housing a script named Maccy.scpt. When opened, the file displays instructions prompting users to run the script in Apple’s Script Editor. Beneath a lengthy blank section, hidden malicious code is embedded.
Initial Execution
Researchers noted the use of Greek and Cyrillic characters in the word “Maccy” to evade basic text-based detection mechanisms. Once executed, the initial stage of the attack includes regional checks to determine if the target is located in specific countries, including Russia, Belarus, Kazakhstan, and neighboring regions. If detected, the malware halts further execution. This mechanism suggests the threat is tailored for particular geographic targets.
Malware Behavior
The malicious payload is delivered as a disguised macOS application, mimicking legitimate system components such as Finder or Software Update. These fake applications use authentic-looking bundle identifiers and icons to avoid suspicion. The dropper employs ad hoc signing to launch the payload without displaying a window or Dock icon, leaving behind a .Maccy file as an indicator of compromise.
Data Collection Mechanisms
The Rust-based infostealer, once activated, collects data by accessing browser SQLite databases, leveraging the Security.framework for keychain access, and utilizing the pbpaste utility to capture clipboard content. All communication with the command and control server is encrypted using ChaCha20 Poly1305, with data transmitted in JSON format.
Persistence and Deception
A critical component of the attack involves a deceptive password prompt that mimics macOS’s native interface. The malware requests the user’s account password through a dialog claiming “Maccy wants to make changes.” If the entered password is incorrect, it is validated via macOS’s Pluggable Authentication Modules (PAM) before prompting again. Once a valid password is provided, the malware triggers a fake error message stating the app is damaged and should be moved to the Trash, masking its presence.
Full Disk Access Coercion
To maintain persistence, PamStealer attempts to coerce users into granting Full Disk Access. A delayed alert appears, falsely claiming that Finder has lost access to protected data and directing users to System Settings. If approved, the malware gains access to sensitive applications such as Mail, Messages, and Time Machine backups.
Indicators of Compromise
Incident response teams can identify infections by monitoring for specific indicators. These include Script Editor executing code signed by an app stored in Application Support, a Finder process running from non-standard directories, repeated use of pbpaste by the fake Finder, and new login items using copied Apple system icons. The command and control infrastructure for the second stage of the attack is hosted at avenger-sync.live/api/sync, with cache records stored in ~/Library/Caches/com.apple.finder.core/.
Recommendations
Users and administrators are advised to obtain clipboard managers exclusively from verified sources, such as the official Maccy project page. Any application delivered as a .scpt file requiring execution in Script Editor should be treated as suspicious. Additionally, unexpected password prompts or applications behaving outside normal macOS conventions warrant immediate investigation.
Researchers noted the use of Greek and Cyrillic characters in the word “Maccy” to evade basic text-based detection mechanisms.
