Newly discovered PamStealer isn't your typical macOS malware
ID: 45a9be59-8552-56cc-bb47-3607def98fb2
STIX ID: report--45a9be59-8552-56cc-bb47-3607def98fb2
Feed Name: Ars Technica Security (category)
PamStealer is a newly observed macOS infostealer delivered via a disk image that lures users into opening an AppleScript which runs a self-contained JavaScript for Automation (JXA) downloader; a Rust-written second stage then validates and captures the victim’s login password using macOS PAM and exfiltrates it to an attacker-controlled server. The malware emphasizes stealth—bypassing com.apple.quarantine, impersonating Finder/Software Update components, encrypting C2 traffic, and delaying permission prompts—to reduce detection opportunities.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
