
Researchers have discovered a never-before-seen piece of macOS malware that combines a number of clever trading tools to infect Macs with stealthy, specially crafted credential-stealing code.
The malware is delivered in two stages. Distributed in a disk image masquerading as the first MacyClipboard manager for Mac. It is designed as an AppleScript and is notable for introducing the second stage. The malware is named PamStealer because the data stealer, written in Rust, uses the Pluginable Authentication Modules interface built into macOS to validate a target’s login password before sending it to a server controlled by the attacker.
A quieter execution chain
The use of both disk image and AppleScript is common in Mac malware. It’s more unusual for PamStealer to combine them to gain privacy. Double-clicking an AppleScript opens the macOS Script Editor, where the malicious functionality is buried deep within the file.
“Instead of relying on shell commands like curl or zsh, AppleScript implements a JavaScript for Automation (JXA) loader that retrieves and stages the payload using native Objective-C APIs,” – researchers at Jamf, a security firm for macOS users, he wrote. “Combined with a Rust-based second stage and a password capture workflow that validates credentials natively via PAM, the result is a quieter chain of execution than we typically see in macOS hacks.”
When a user expects to install a trusted clipboard manager when faced with a disk image, it prompts them to press Command-R immediately after double-clicking it. This command executes malicious code directly within AppleScript. It also allows you to bypass com.apple.quarantine, a macOS attribute that provides warnings and restrictions when executable files are downloaded from the Internet.
As Jamf explains:
PamStealer combines an emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor build on trade-in techniques already accepted in the macOS threat landscape, the malware differs with a standalone JXA droplet, a Rust-based second stage, and a password capture workflow that validates credentials locally via PAM before harvesting them. This second stage goes to great lengths to remain stealthy, masquerading as the Finder, encrypting its command and control traffic, and keeping prompts like the Full Disk Access prompt for up to forty minutes so that its activity is not the same as when it was launched. Together, these behaviors suggest that macOS hijackers continue to evolve by adopting quieter execution chains and native applications that reduce traditional detection capabilities while remaining compliant with standard macOS features.
The first stage puts its payload inside a software package that mimics the real components installed on macOS. The component varies from malware instance to instance. Finder.app under com.apple.finder.core or com.apple.finder.monitor and Software Update.app under com.apple.security.daemon are two examples. In both cases, they run in secret. They also show macOS’s original Finder.icns as its icon.





