logo

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

ID: 315567dd-4adf-569f-bf97-66bee6bd518a

STIX ID: report--315567dd-4adf-569f-bf97-66bee6bd518a

Feed Name: The Hacker News

Threat Score
70/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: [email protected] (The Hacker News)

...
...

PamStealer is a newly observed macOS infostealer delivered through a fake Maccy website and a compiled AppleScript dropper that stages a Rust-based Mach-O stealer; it harvests browser data, wallet extensions, iCloud Keychain, clipboard contents, and captures the victim's system password by validating entries via macOS PAM before exfiltrating encrypted data to avenger-sync.live. The dropper uses JXA and native Objective-C APIs, enforces Apple Silicon-only deployment via host fingerprinting, avoids Eastern European locales and sandboxed environments, and employs a persistence mechanism that impersonates System Settings, making detection and analysis more difficult.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.