New PamStealer Malware Targets macOS Users via Fake Maccy Clipboard App
ID: 4b5e79b6-197c-58cc-85a8-98e15a848769
STIX ID: report--4b5e79b6-197c-58cc-85a8-98e15a848769
Feed Name: HackRead
Jamf Threat Labs identified a macOS-focused campaign distributing a Rust-based infostealer called PamStealer via a fake Maccy clipboard app delivered in a disk image; the dropper uses obfuscated AppleScript and JavaScript for Automation to download a staged payload, enforces Apple Silicon and regional checks, requests account passwords via a native-looking prompt (verified through PAM), pushes for Full Disk Access, persists as a fake Finder bundle, exfiltrates browser, keychain and clipboard data to an encrypted C2, and leaves several forensic indicators (script-triggered signing, pbpaste usage, login item entries, cache records).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
