
short
- Jamf Threat Labs has identified a new Rust-based MacOS information theft program that pretends to be Maccy’s clipboard manager.
- The malware verifies the validity of victims’ passwords through macOS PAM before stealing them.
- Researchers also discovered ClickFix-style malware delivered through a sponsored ad on X.
Mac users searching for open source clipboard manager Maccy are being targeted by a fake version of the app that installs a new Rust-based information-stealing program dubbed PamStealer, according to cybersecurity firm Jamf Threat Labs. If successful, this malware can steal users’ passwords and crypto wallet keys.
In a a report Published on Thursday, Jamf Threat Labs said the campaign used a similar site to distribute a disk image containing a malicious AppleScript file called Maccy.scpt. When the file is opened, it displays instructions telling users to run it in Apple’s script editor with the malicious code hidden at the bottom of the document.
“We are tracking this malware under the name PamStealer after one of its primary behaviors: validating the victim’s login password through macOS Pluggable Authentication Modules (PAM) before harvesting it,” Jamf Threat Labs wrote.
From there, the malware uses JavaScript for Automation and native macOS APIs to download the second-stage payload without relying on common shell utilities like curl or zsh, reducing the number of processes that security tools can monitor.
“With multiple hijackers, we’ve seen attackers purchase ad space on Google to lure users to the malicious app. We’ve recently noticed malicious ads being hosted on X as well,” said Jaron Bradley, director of Jamf Threat Labs. Decryption. “These social engineering techniques have proven to be very successful.”
According to the report, the second phase is a Rust-based binary designed for Apple Silicon Mac devices and disguises itself as Finder or Software Update.
“Instead of storing its configuration in clear text, the dropper derives a key from the host’s fingerprint — including its CPU architecture, local language, keyboard layout, and time zone — and uses it to open an integrity-verified encrypted configuration containing the payload URL and installation path,” the company said.
Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, verify persistence, and send stolen information to a remote command and control server using encrypted connections. If it cannot verify that it is working on the intended target, it quietly shuts itself down.
The malware also attempts to expand its reach by displaying a fake Finder alert asking users to grant full disk access. The prompt can appear up to 40 minutes after infection, making it less likely that users will associate it with the original download. If approved, the malware can access protected data, including your mail, messages, and Time Machine backups.
According to Bradley, Jamf has observed no evidence that PamStealer is active in the wild; However, the company informed Apple of its findings. Apple did not immediately respond to a request for comment Decryption.
Jamf said it is seeing similar social engineering techniques spreading to other platforms.
in Share X Last week, the company said it was investigating a sponsored ad on
“The ad was delivered by an X verified account, adding another layer of trust to social engineering,” the company wrote. “Payload analysis revealed a new version of the Atomic (MacSync) Stealer.”
These findings come as attackers increasingly disguise malware as legitimate software and abuse trusted developer platforms and advertising channels. Recent campaigns have included fake OpenAI software storehouse Which reached the top of the trending Hugging Face projects before the distribution of the Rust-based information theft tool, a malicious extension to Visual Studio Code that GitHub said it had nearly exposed. 3800 Internal warehouses, and Immortality tea Software supply chain campaign targets development tools used by AI companies including… OpenAI The Mistral AI.
Daily debriefing Newsletter
Start each day with the latest news, plus original features, podcasts, videos and more.





