ctipilot.ch

PamStealer

tool · tool:pamstealer single-source

PamStealer — two-stage macOS infostealer impersonating the Maccy clipboard manager; validates harvested login passwords via the macOS PAM API before exfiltration (Jamf Threat Labs)

Coverage timeline
1
first 2026-07-04 → last 2026-07-04
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-04Jamf Threat Labs documents "PamStealer": a macOS infostealer that validates the victim's password via the PAM API before exfiltrating it
    research**PamStealer** impersonates the Maccy clipboard app and confirms a stolen macOS password through pam_authenticate before sending it

Where this entity is cited

  • research1

Source distribution

  • jamf.com1 (50%)
  • thehackernews.com1 (50%)

Entries about PamStealer (1)

2026-07-04 · view entry permalink →

Jamf Threat Labs documents "PamStealer": a macOS infostealer that validates the victim's password via the PAM API before exfiltrating it

notable research discovered 2026-07-04 06:24 UTC single-source

Jamf Threat Labs published an analysis of PamStealer, a two-stage macOS infostealer served from a typosquatted domain impersonating the legitimate Maccy clipboard-manager app (Jamf Threat Labs, 2026-07-02). The first stage is a compiled AppleScript delivered on a disk image that, rather than shelling out to curl/zsh, runs a self-contained JavaScript for Automation (JXA) downloader against native NSURLSession APIs (T1059.007) and fingerprints the host — CPU architecture, locale, keyboard layout, timezone — excluding Russian/Belarusian/Kazakh locales before proceeding (T1497.001) (Jamf Threat Labs, 2026-07-02). The second stage is an arm64 Rust Mach-O masquerading as Finder (T1036.005).

The behaviour that names the family is its credential handling: PamStealer validates the victim's typed login password through the macOS Pluggable Authentication Modules API — pam_start, pam_authenticate, pam_end — and re-prompts if validation fails, so only a confirmed-correct password is ever exfiltrated. Jamf notes the operational payoff: "the result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on" (Jamf Threat Labs, 2026-07-02). It runtime-loads Security.framework to pull browser-stored credentials and Keychain data (T1555.001, T1555.003), reads the clipboard via pbpaste (T1115), and persists through both the modern ServiceManagement API and legacy shared-file-list APIs (T1547); exfiltration uses an encrypted HTTPS channel and the user is social-engineered into granting Full Disk Access (Jamf Threat Labs, 2026-07-02), a chain corroborated in secondary reporting (The Hacker News, 2026-07-03).

Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs.

The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on.

Jamf Threat Labs 2026-07-02
infostealer identity phishing global