PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords
ID: 2568ae6b-c6e9-50a2-bde8-950a700d78f1
STIX ID: report--2568ae6b-c6e9-50a2-bde8-950a700d78f1
Feed Name: Cyber Press
Threat Score
PamStealer is a macOS infostealer masquerading as the Maccy clipboard manager that uses a two-stage AppleScript/JXA and arm64 Rust payload to harvest browser databases, Keychain entries, and clipboard data; it validates stolen passwords via PAM, exfiltrates encrypted data to avenger-sync.live, employs region checks and device-fingerprinting to evade analysis, and achieves persistence through SMAppService and legacy login items.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
