PamStealer: macOS Malware Posing as Clipboard Manager App
-->
Why Jamf
Products
Pricing
Resources
Partners
Start Trial
Contact
Start Trial
Contact
Jamf
Home
Blog<br>PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
Jamf Threat Labs investigates PamStealer, a macOS infostealer disguised as the legitimate Maccy clipboard manager that uses a two-stage attack chain to silently harvest data and clipboard contents while evading detection.
July 2 2026 by
Jamf Threat Labs
By Thijs Xhaflaire<br>Introduction<br>While reviewing results from our sample pipeline, Jamf Threat Labs identified a macOS infostealer distributed as a compiled AppleScript (.scpt) file impersonating “Maccy,” a legitimate open-source clipboard manager. We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it.<br>PamStealer is delivered in two stages. The first is a compiled AppleScript distributed inside a disk image that downloads and stages a second-stage payload. The second is a Rust-based Mach-O infostealer responsible for credential theft, browser data collection, persistence and exfiltration. The dropper is hosted on the fake domain maccyapp[.]com , which impersonates the legitimate Maccy project.
Although disk images and AppleScript-based malware are well-established on macOS, PamStealer combines them in an interesting way. Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs. Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.<br>Throughout this post, we examine PamStealer in two stages: the AppleScript dropper and the Rust stealer, and highlight the behaviors that are most relevant from a defender’s perspective.<br>The lure: a "Maccy" clipboard manager distributed through a disk image
The sample arrives as a file named Maccy.scpt, distributed on a disk image and dressed up as an app for the Maccy clipboard manager. By design, macOS opens a .scpt file in Script Editor when it is double-clicked. The attacker leans on this: the visible content of the document is a short, branded set of instructions, while the real logic sits far down the file behind a large block of empty lines.
The instruction to press ⌘+R (or click the ▶ Run button) is the entire social-engineering payload. Running the script in Script Editor executes the embedded code directly. Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal.<br>One deliberate detail: in the word "Maccy," the lure text uses homoglyphs, Greek and Cyrillic characters that look identical to their Latin counterparts. The displayed lure is indistinguishable to a human reader, while the swapped characters frustrate simple matching on the decoy text.<br>Stage one: the AppleScript dropper<br>The compiled AppleScript is a thin wrapper around a JXA payload. Although the JXA is obfuscated to slow analysis, its behavior is straightforward: it downloads, stages and launches the second-stage payload using native macOS APIs. Unlike many AppleScript-based downloaders that invoke utilities such as curl, osascript or zsh, the dropper performs these actions directly through NSURLSession and the Objective-C bridge. This reduces visible process creation during execution and leaves fewer behavioral artifacts for defenders to key on.<br>Environment-aware execution<br>Rather than carrying its configuration in cleartext, the dropper derives a key from a fingerprint of the host (CPU architecture, locale, keyboard layout and time zone) and uses it to unlock an encrypted, integrity-checked configuration that holds the payload URL and install path. The configuration only unlocks on a valid target. In the samples we analyzed it was keyed to Apple silicon; on an Intel host the derived key differs, the configuration fails to unlock and the dropper silently terminates.<br>Region-based exclusion<br>Before proceeding, the script checks the host against an exclusion list using three independent signals: the system time zone (against a set including Europe/Moscow, Europe/Minsk and Asia/Almaty), the country code and identifier from the system locale (RU, BY, KZ, AM, AZ, KG, MD, TJ, UZ, TM, GE), and the active keyboard input sources (against Russian, Belarusian, Kazakh and other regional layouts). Because these checks feed the key derivation, a match in any of them quietly prevents the configuration from unlocking.<br>Anti-analysis...