logo

PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords

ID: 2568ae6b-c6e9-50a2-bde8-950a700d78f1

STIX ID: report--2568ae6b-c6e9-50a2-bde8-950a700d78f1

Feed Name: Cyber Press

Threat Score
75/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Lucas Martin

...
...

PamStealer is a macOS infostealer masquerading as the Maccy clipboard manager that uses a two-stage AppleScript/JXA and arm64 Rust payload to harvest browser databases, Keychain entries, and clipboard data; it validates stolen passwords via PAM, exfiltrates encrypted data to avenger-sync.live, employs region checks and device-fingerprinting to evade analysis, and achieves persistence through SMAppService and legacy login items.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.