A Fake Utility App Is the Trojan Horse
A previously undocumented piece of macOS malware has surfaced, and its design separates it from the usual crop of Mac threats. Researchers discovered the malware – now named PamStealer – delivered inside a disk image that impersonates Maccy, a legitimate and widely used clipboard manager for macOS. The disguise is deliberate: Maccy is the kind of low-profile productivity tool that a developer or power user might download without a second thought, making it an effective cover for something far more damaging underneath.
PamStealer operates in two distinct stages, each engineered to avoid detection before the next kicks in.
The first stage lives inside that fake Maccy disk image. It’s compiled as AppleScript – a format that looks innocuous on the surface, especially to anyone who uses macOS automation tools regularly. When the victim double-clicks the file, macOS opens it inside Script Editor, the system’s native scripting environment. The malicious code is buried deep within that file, well past any point where a casual inspection would raise alarms. This is not a new delivery mechanism in isolation – disk images and AppleScript are both common in Mac malware – but the specific combination here is what researchers flagged as unusual. The two are stitched together in a way that makes the execution chain quieter than what’s typically seen.

How PamStealer Actually Steals Your Password
Once the first stage executes, it drops and launches the second stage: a custom infostealer written in Rust. The name PamStealer comes directly from how this second-stage payload works. It uses the Pluggable Authentication Modules interface – PAM – which is a legitimate authentication framework built into macOS. Rather than brute-forcing a password or phishing for it through a fake dialog box, PamStealer uses PAM to quietly validate the target’s actual login password. The distinction matters. Validation through PAM means the malware can confirm it has the correct credentials before doing anything with them, reducing noise and failed attempts that might trigger a security alert.
After validation, the stolen login password is sent to an attacker-controlled server. The entire flow – from fake clipboard app to Rust-based stealer to credential exfiltration – is designed to leave as small a trace as possible at each step.

Writing the second-stage payload in Rust is itself a meaningful choice. Rust-compiled binaries are harder to analyze and reverse-engineer than those built in more common scripting languages or older compiled formats. Security tools that rely on behavioral signatures or pattern matching have a harder time with Rust code, partly because the language is still relatively new in the malware ecosystem and partly because its compiled output looks structurally different from what most macOS detection engines were originally trained on. For attackers building tools meant to stay under the radar, Rust has quietly become a preferred option.
What This Means for How You Think About Mac Security
The conventional wisdom that Macs are inherently safer than other platforms has eroded steadily over the past several years, and PamStealer fits that pattern precisely. The malware doesn’t exploit a zero-day vulnerability or require the user to disable any security settings. It relies on a user downloading what looks like a useful productivity app, and on macOS’s own built-in tools – Script Editor, PAM – doing exactly what they’re supposed to do. There’s no system error. Everything works as designed, just not in the user’s interest.
The impersonation of Maccy as the delivery vehicle is also worth sitting with. Maccy is an open-source clipboard manager with a genuine user base. It’s the sort of app someone finds through a forum recommendation or a productivity blog, not through the Mac App Store, which means users searching for it outside official channels are exactly the population most likely to encounter a fake disk image. Attackers choosing that specific app as their mask weren’t guessing – they were targeting a distribution gap.

PamStealer is still being analyzed, and its full distribution scope isn’t yet known. But the architecture – two stages, AppleScript loader, Rust infostealer, PAM-based credential validation – represents a level of deliberate construction that puts it in a different category from opportunistic Mac threats. The question researchers haven’t answered publicly yet is who built it, and whether the attacker-controlled server receiving those stolen passwords has already been receiving them for longer than anyone currently knows.






