PamStealer Mimics Maccy Clipboard Manager to Harvest macOS Data
What happened
Jamf Threat Labs discovered a new macOS infostealer called PamStealer that disguises itself as Maccy, a popular open-source clipboard manager. The attack begins with a malicious disk image named Maccy.dmg, which contains a compiled AppleScript file. When opened, the file shows harmless-looking instructions prompting the user to press Run, triggering hidden code embedded inside the script.
The first-stage AppleScript acts as a lightweight dropper and uses JavaScript for Automation through native macOS APIs instead of common command-line tools such as curl or zsh. This helps reduce visible system activity. The script then downloads and installs a second-stage payload that can masquerade as legitimate macOS components such as Finder or Software Update.
PamStealer performs environment checks before running, including CPU architecture, locale, and time zone checks, and exits silently if the device does not match the expected profile. It also avoids systems in Russia and neighboring regions by checking language settings and keyboard layouts. The second stage is a Rust-based Mach-O binary that steals browser passwords, cookies, wallet data, Keychain data, clipboard contents, and other sensitive information.
The malware uses a fake system prompt to ask for the user’s password, then validates the password locally through macOS Pluggable Authentication Modules before capturing it. It also monitors the clipboard through the built-in pbpaste utility, registers itself as a login item for persistence, drops a helper binary disguised as System Settings, and attempts to trick users into granting Full Disk Access. The malware communicates with its command-and-control server using encrypted JSON requests and has also been observed connecting to public Ethereum RPC endpoints.
Who is affected
macOS users are directly affected if they download and open the fake Maccy disk image.
Developers, security professionals, cryptocurrency users, and business users may face higher risk because clipboard managers often handle sensitive material such as passwords, tokens, wallet addresses, API keys, and copied credentials.
Organizations with unmanaged Mac endpoints are also affected if employees can install disk images, approve Full Disk Access prompts, or run unsigned or unfamiliar AppleScript-based applications without security review.
Why CISOs should care
PamStealer shows that macOS malware continues to mature beyond simple stealers. The campaign combines social engineering, native macOS APIs, Rust-based payloads, environment-aware execution, clipboard monitoring, password harvesting, persistence, and encrypted command-and-control traffic.
For CISOs, the clipboard angle is especially important. Many users copy credentials, tokens, wallet addresses, one-time codes, internal URLs, and sensitive snippets during daily work. A clipboard-focused stealer can capture valuable data without needing direct access to every application.
The fake password prompt also creates a practical endpoint risk. By validating the password locally before stealing it, the malware can reduce noise and avoid capturing incorrect entries, making the collected credentials more useful to attackers.
The campaign also reinforces the need to treat Mac software distribution as a security control. A fake disk image impersonating a trusted open-source app can bypass user skepticism if the download path or source is not carefully controlled.
3 practical actions
Restrict untrusted disk images and scripts: PamStealer begins with a fake Maccy.dmg and AppleScript dropper. Security teams should limit installation from unapproved sources and monitor disk images, AppleScript execution, and JavaScript for Automation activity.
Harden macOS privacy permissions: The malware attempts to gain Full Disk Access and persistence as a login item. CISOs should enforce MDM controls, review applications with sensitive permissions, and alert on new login items or suspicious helper binaries.
Monitor for clipboard and credential theft behavior: PamStealer collects clipboard contents, browser data, Keychain data, and wallet information. Defenders should investigate unusual pbpaste usage, fake password prompts, suspicious browser database access, and encrypted outbound traffic to unfamiliar domains.
Cybersecurity in the news:
U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case
European Parliament Spyware Investigator Hacked With Pegasus
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
UK National Cyber Action Plan Delayed Amid Labour Leadership Crisis
Flipper Zero Firmware Development Continues With Community Help


