Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Kioxia readies next-gen memory mass production as AI boom fuels dramatic comeback

    July 2, 2026

    Microsoft commits $2.5 billion, 6,000 employees AI implementation unit

    July 2, 2026

    Home Secretary admits failures led to Southport attack

    July 2, 2026
    Facebook X (Twitter) Instagram
    Addison Markets
    • Home
    • USA
    • Europe
    • Business
    • Investing
    • Tech
    • Politics
    • Contact Us
    Addison Markets
    Home»Tech»Newly discovered PamStealer isn’t your typical macOS malware
    Tech

    Newly discovered PamStealer isn’t your typical macOS malware

    franperez66q@protonmail.comBy franperez66q@protonmail.comJuly 2, 2026No Comments3 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email



    Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code.

    The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Macs. It’s compiled as AppleScript that is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target’s login password before sending it to an attacker-controlled server.

    A quieter execution chain

    The use of both disk image and AppleScript is common in malware for Macs. More unusual is the way PamStealer combines them to gain stealth. When the AppleScript is double-clicked, it’s opened in the macOS Script Editor, where the malicious functionality is buried deep within the file.

    “Rather than relying on shell commands such as curl or zsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs,” researchers from Jamf, a security firm for macOS users, wrote. “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.”

    When a user, expecting to install a trustworthy clipboard manager, encounters the disk image, they’re prompted to press Command-R immediately after double-clicking it. This command executes malicious code inside the AppleScript directly. It also allows the execution to bypass com.apple.quarantine, a macOS attribute that provides warnings and restrictions when executable files have been downloaded from the Internet.

    As Jamf explained:

    PamStealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the macOS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features.

    The first stage puts its payload inside an app bundle that impersonates real components built into macOS. The component changes from sample to sample of the malware. Finder.app under com.apple.finder.core or com.apple.finder.monitor, and a Software Update.app under com.apple.security.daemon, are two examples. In either case, they run hidden. They also display macOS’s genuine Finder.icns as its icon.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    franperez66q@protonmail.com
    • Website

    Related Posts

    Microsoft commits $2.5 billion, 6,000 employees AI implementation unit

    July 2, 2026

    Trump bought Apple, Nvidia, tech before tariff reversal fueled rebound

    July 2, 2026

    FAA proposal: Supersonic airliners can fly over US cities if they’re quiet

    July 2, 2026

    Amazon has deployed enough satellites to launch Leo service this year

    July 2, 2026

    Ars Live recap: When are the big rockets NASA desperately needs going to be ready?

    July 2, 2026

    Tesla (TSLA) Q2 2026 vehicle delivery production

    July 2, 2026
    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    Kioxia readies next-gen memory mass production as AI boom fuels dramatic comeback

    July 2, 2026

    Microsoft commits $2.5 billion, 6,000 employees AI implementation unit

    July 2, 2026

    Home Secretary admits failures led to Southport attack

    July 2, 2026

    Stock market gains mint new millionaires in 2025: UBS

    July 2, 2026
    © 2026 All right reserved
    • Privacy Policy
    • Terms & Conditions

    Type above and press Enter to search. Press Esc to cancel.