Forgot your password?
typodupeerror
Desktops (Apple) Security

New PamStealer macOS Malware Uses Clever Tradecraft To Remain Stealthy (arstechnica.com) 21

An anonymous reader quotes a report from Ars Technica: Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code. The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Macs. It's compiled as AppleScript that is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target's login password before sending it to an attacker-controlled server.

[...] PamStealer shows a native password prompt designed to resemble a system authorization request. Text that appears with the prompt says: "Maccy wants to make changes. Enter your password to allow this." As noted earlier, once a target complies, the malware validates it locally through the PAM API. "This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity macOS stealers do," [said Jamf, a security firm for macOS users]. "The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on."

If the validation fails, PamStealer displays the prompts again until it receives the correct one. Once the target enters the correct password, PamStealer displays a message stating that the file is damaged and can't be installed. This is designed to be a decoy to prevent the target from suspecting anything is amiss. The malware uses tactics to maximize the information it can steal. One tactic is to request the target grant full disk access to the fake Maccy app. It also contains code designed to access ethereum accounts. The various techniques -- particularly the Script Editor lure, a self-contained JXA dropper, a Rust-based second stage, and local validation of credentials through PAM are all noteworthy.

New PamStealer macOS Malware Uses Clever Tradecraft To Remain Stealthy

Comments Filter:
  • by PPH ( 736903 ) on Friday July 03, 2026 @11:09AM (#66221442)

    ... Rust being put to use improving our computing security.

  • Applescript has become a loophole that bypasses the whole get certified by Apple security technique. Expect more loopholes like this in the future and other cat and magic mouse chases.
    • What has AppleScript to do with that?

      Same problem if it was a Bash script or a compiled C program ...

    • This has nothing to do with AppleScript. It has to do with the boneheaded decision to have Mac OS X and its successor constantly prompting users for passwords to do "admin" things, even if they're logged in as an admin. This has been a flaw since 10.0, and I was complaining about it in the 10.2 days, and getting told I shouldn't worry my pretty little head about it and that nobody would ever write malware that puts up something that looks like a system request for your password, such a fraud would be unposs

  • Since you have to, you know, give it your password.
  • by Rei ( 128717 )

    Once the target enters the correct password, PamStealer displays a message stating that the file is damaged and can't be installed. This is designed to be a decoy to prevent the target from suspecting anything is amiss.

    Same sort of technique I used back in secondary school, lol ;) We had a programming class (in Basic on DOS), and it was painfully trivial, so I'd always complete the assignments in like 5 minutes and then spend the rest of class messing around. So one thing I wrote was a program that mimick

  • Must be a slow news day. The end user has to download and install the “malware” and then give it the admin password.
    • Thank God Mac OS X hasn't been training people to enter their admin password whenever they install anything or do anything adminy using an easily replicated dialog since 2001. Otherwise people might fall for this!

  • Every time I install a 3rd party app, I worry about typing my password for anything. I mean I guess I could change root, install the app, and change root back. That is the number one reason I do NOT hate the walled garden. It can be annoying, but the odds are that your apps are safe.

"Probably the best operating system in the world is the [operating system] made for the PDP-11 by Bell Laboratories." - Ted Nelson, October 1977

Working...