PamStealer's two-stage delivery and Maccy lookalike lures
Researchers at Jamf Threat Labs identified PamStealer as a two-stage macOS information stealer delivered through lookalike download sites. The initial lure is a compiled AppleScript (.scpt) file named "Maccy.scpt" distributed inside a disk image obtained from imitation domains such as maccyapp[.]com — a mimic of the legitimate project site maccy[.]app. The AppleScript contains a self-contained JavaScript for Automation (JXA) downloader that uses native Objective-C APIs to fetch and stage a secondary payload.
Rust-based second stage masquerading and data targets
When the dropper succeeds, it downloads a Mach-O binary written in Rust that masquerades as the Finder app. Jamf reports the Rust-based infostealer is capable of credential theft, browser data collection, harvesting cryptocurrency wallet extensions, extracting iCloud Keychain items, and capturing clipboard content. Captured material is encrypted and exfiltrated over HTTP to attacker-controlled infrastructure at avenger-sync[.]live.
PAM-based password capture and the faux Gatekeeper message
The stealer implements a native password prompt that solicits the victim's system password and then validates the entered credential through the macOS Pluggable Authentication Modules (PAM) API. If validation fails, the prompt asks the user to re-enter the password and repeats until a correct password is supplied. According to Jamf, "Once a valid password is captured, the stealer shows a second, counterfeit alert: 'Maccy is damaged and can't be opened. You should move it to the Trash,' a close copy of the genuine Gatekeeper message." Jamf added that the decoy appears only after the payload has run, captured the password, and registered for persistence, serving to encourage the victim to discard the lure.
Environment checks: Apple Silicon fingerprinting and regional exclusions
The AppleScript dropper is environment-aware. It derives a decryption key from a host fingerprint — taking into account CPU architecture, locale, keyboard layout, and time zone — to unlock an encrypted configuration containing the payload URL and install path. On Intel-based Macs the derived key differs and fails to decode the configuration, causing the dropper to terminate. The script also avoids execution in sandboxed or analysis environments and on systems whose time zone, system locale, and keyboard input resolve to countries in Eastern Europe, listing Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.
Persistence mechanism and mimicry of macOS components
Alongside the Rust infostealer, Jamf observed a small arm64 Mach-O embedded within the binary that impersonates macOS System Settings and is used to establish persistence. The overall chain — an AppleScript JXA downloader, a Rust Mach-O posing as Finder, a native password prompt validated via PAM, and a counterfeit Gatekeeper-style error message — results in what Jamf characterized as "a quieter execution chain" than is typical for commodity macOS stealers.
What this means for technologists, end users, and the Maccy developer
- Technologists and security teams: Watch for disk-image distribution of compiled AppleScript files named to mimic legitimate apps, JXA-based downloaders using Objective-C APIs, Rust Mach-O binaries masquerading as Finder or System Settings, and outbound HTTP exfiltration to domains such as avenger-sync[.]live. Jamf's analysis highlights the combined use of native macOS features and environment fingerprinting to evade detection.
- End users: The attack flow includes a native-looking, repeating password prompt validated via PAM and a later Gatekeeper-style decoy message designed to convince victims the download was corrupted. Users encountering unfamiliar Script Editor prompts or repeated password requests tied to newly downloaded apps should treat those interactions with caution.
- Maccy developer and open-source projects: Alex Rodionov, the developer of Maccy, posted a warning on the project's website and GitHub repository: "Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. maccy.app is the only official website." The warning underlines the reputational and operational risk that impersonation-based campaigns pose to open-source maintainers.
Jamf summed up the technical trend plainly: "Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features." The PamStealer chain — lookalike sites, an AppleScript/JXA dropper, a Rust infostealer, PAM-based credential validation, and a Gatekeeper-style decoy — links familiar macOS behaviors into a novel, layered attack designed to both harvest credentials and disguise its tracks.
Original reporting: The Hacker News




