PamStealer: a fake Maccy site and a PAM prompt is all this Mac stealer needs
Jamf Threat Labs disclosed a new macOS credential stealer today that impersonates the Maccy clipboard app, validates the victim's login password against PAM in real time, and exfiltrates keychain and browser data. Apple Silicon only. Here's what defenders should do.
If your fleet includes Macs and you don’t already block maccyapp[.]com and avenger-sync[.]live, add both to your DNS sinkhole today. Jamf Threat Labs disclosed a new macOS infostealer called PamStealer this morning, and the pattern is one endpoint teams should recognize on sight: fake download page for a real open-source utility, compiled AppleScript dropper, native-looking password prompt, everything gone in a few minutes.
Jamf’s Thijs Xhaflaire published the writeup on July 3. This is a fresh disclosure, not a re-tread of an older family with a new name.
What changed
Three specifics worth pulling out of the report.
The lure targets a real, popular tool. Maccy is a legitimate open-source clipboard manager by Alex Rodionov — the kind of small-utility category where users are used to grabbing a .dmg from the developer’s site without a second thought. The attacker registered the near-miss domain maccyapp[.]com (the real one is maccy[.]app) and serves a compiled AppleScript payload from it. That is the entire delivery mechanism — no exploit, no privilege escalation trick, just a typosquat and a signed-looking installer.
The password prompt is validated against PAM. Once the AppleScript stage runs, PamStealer pops a native-looking SecurityAgent-style prompt asking for the user’s macOS login password. This is what earns it its name: rather than just capturing whatever the victim types and hoping it’s correct, the stealer calls the Pluggable Authentication Modules (PAM) API and cross-checks the entered password against the real one. Wrong password? The prompt re-appears. The attacker doesn’t ship exfiltrated garbage — they ship a confirmed-good credential.
The payload is Rust, and it’s Apple-Silicon-only. The second stage — pulled down after the AppleScript primes the box — is a Rust binary that harvests browser-saved credentials, cryptocurrency wallet browser extensions, iCloud Keychain data, and clipboard contents, encrypts the haul, and ships it to avenger-sync[.]live. Jamf notes the binary is compiled for arm64 only. Intel Macs are outside the target set on this campaign — for now.
There’s also geofencing. The stealer bails out on hosts in Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. That’s a familiar signal about who is running the campaign; treat it as attribution-adjacent, not proof of anything specific.
What to actually do
This week, endpoint and detection teams:
- Sinkhole or block
maccyapp[.]comandavenger-sync[.]liveat your DNS resolver and any egress proxies. These are the two atomic IOCs from Jamf’s writeup; if you have a threat-intel feed subscription, the full set will land there over the next 24 hours. - Check DNS logs for the last 30 days for either domain. A hit is a compromised endpoint, not a curiosity — treat it as a full credential rotation for the affected user.
- If you run an EDR that hashes AppleScript-compiled
.scptpayloads, pull Jamf’s IOC list once they publish it and load the hashes.
This week, IT and helpdesk:
- Push a short note to your Mac users: if they installed Maccy in the last week, verify the download source and reinstall from
maccy.appif in any doubt. It’s a common enough utility on developer laptops that you should assume you have installs to check. - Anyone whose Mac showed either of the two blocked domains: password rotation on the local account, iCloud account, browser-saved credentials, and any crypto wallet extensions. The stealer is fast; assume anything the user had access to is in the attacker’s hands the moment the fake prompt was answered correctly.
Longer arc, security engineering:
- If your fleet policy allows Gatekeeper-bypass installs (a lot do, because developer tooling requires it), this is a good week to look at whether that carve-out is still worth the tradeoff. PamStealer’s dropper is a compiled AppleScript — Gatekeeper prompts on it, users click through. That is the failure mode the disclosure documents.
- MDM policy: consider requiring notarized-only installs on non-developer machines. It won’t stop everything, but it kills this specific delivery pattern.
Priority call
This isn’t a KEV-tier “patch or be compromised by Friday” story — there’s no vulnerability to patch and no exploit chain, just a social-engineering delivery of commodity theft. But it belongs high on the endpoint queue because the abuse of PAM to validate credentials in real time raises the fidelity of what an attacker walks away with. A stealer that confirms it has the right password before exfiltrating is worse than one that guesses.
If you have to pick between chasing this and the Kemp LoadMaster PoC that landed on the internet last week, patch LoadMaster first. Anything with a public pre-auth RCE on an internet-exposed appliance beats a stealer-of-the-week. Get to the DNS blocks by end of day tomorrow.
Sourcing
- The Hacker News: PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
- Jamf Threat Labs (researcher writeup credited to Thijs Xhaflaire, per the coverage above)
- Legitimate Maccy project: maccy.app
Found this useful? Share it.
