Home · Live brief · Daily brief 2026-07-04
Jamf Threat Labs documents "PamStealer": a macOS infostealer that validates the victim's password via the PAM API before exfiltrating it
Entities: PamStealer
Part of run 2026-07-04T0609Z-intel (intel · Anthropic Claude (specific model not determined))
Jamf Threat Labs published an analysis of PamStealer, a two-stage macOS infostealer served from a typosquatted domain impersonating the legitimate Maccy clipboard-manager app (Jamf Threat Labs, 2026-07-02). The first stage is a compiled AppleScript delivered on a disk image that, rather than shelling out to curl/zsh, runs a self-contained JavaScript for Automation (JXA) downloader against native NSURLSession APIs (T1059.007) and fingerprints the host — CPU architecture, locale, keyboard layout, timezone — excluding Russian/Belarusian/Kazakh locales before proceeding (T1497.001) (Jamf Threat Labs, 2026-07-02). The second stage is an arm64 Rust Mach-O masquerading as Finder (T1036.005).
The behaviour that names the family is its credential handling: PamStealer validates the victim's typed login password through the macOS Pluggable Authentication Modules API — pam_start, pam_authenticate, pam_end — and re-prompts if validation fails, so only a confirmed-correct password is ever exfiltrated. Jamf notes the operational payoff: "the result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on" (Jamf Threat Labs, 2026-07-02). It runtime-loads Security.framework to pull browser-stored credentials and Keychain data (T1555.001, T1555.003), reads the clipboard via pbpaste (T1115), and persists through both the modern ServiceManagement API and legacy shared-file-list APIs (T1547); exfiltration uses an encrypted HTTPS channel and the user is social-engineered into granting Full Disk Access (Jamf Threat Labs, 2026-07-02), a chain corroborated in secondary reporting (The Hacker News, 2026-07-03).
Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs.
The result is a quieter routine that keeps only a verified password, and one fewer process chain for defenders to detect on.
Action items
- Enforce Gatekeeper and notarization policy so unsigned or ad-hoc-signed applications launched from a mounted disk image cannot run; block AppleScript execution from quarantined/mounted images via an EDR script-control policy.
- Alert on pam_authenticate invoked by any process other than loginwindow, sudo or su in the macOS Unified Log — legitimate password validation does not originate from a downloaded binary.
- Restrict Full Disk Access grants by MDM policy and alert on new TCC.db entries for unrecognized bundle IDs, since the malware social-engineers the user into granting FDA.