PamStealer represents a significant evolution in macOS credential theft. Unlike typical infostealers that blindly exfiltrate whatever password they capture, PamStealer validates the target's login password locally using macOS's Pluggable Authentication Modules (PAM) before sending it to an attacker-controlled server. This ensures attackers only receive verified credentials, reducing noise and increasing the success rate of subsequent attacks.
Discovered by Jamf researchers, the malware is delivered in two stages. The first stage masquerades as the Maccy clipboard manager inside a disk image. When the user double-clicks the AppleScript file, they are prompted to press Command-R immediately, which bypasses the com.apple.quarantine attribute and executes malicious code directly in the Script Editor. The AppleScript then runs a self-contained JavaScript for Automation (JXA) downloader that retrieves the second stage—a Rust-written Mach-O binary for Apple Silicon.
How PamStealer Validates Passwords
The second stage displays a native-looking password prompt: "Maccy wants to make changes. Enter your password to allow this." Once the user enters their password, PamStealer validates it through the PAM API—without spawning any external processes like dscl or security. This makes detection significantly harder. If the password is incorrect, the prompt reappears until the correct one is entered. Only then does the malware display a decoy message stating the file is damaged, while the verified password is sent to the attacker.
Jamf researchers noted: "This check is done entirely through PAM: there is no call out to dscl, security, osascript or any spawned process to verify the password, as many commodity macOS stealers do."
Strategic Implications for Enterprise Security
PamStealer's use of PAM for local validation signals a shift toward more sophisticated, quieter execution chains. By validating credentials locally, attackers reduce the risk of detection during exfiltration and ensure they only collect actionable passwords. This increases the efficiency of follow-on attacks such as lateral movement, privilege escalation, or data theft.
For enterprise security teams, this means traditional endpoint detection and response (EDR) solutions that rely on process monitoring may miss PamStealer's password capture routine entirely. The malware also delays requests for Full Disk Access by up to 40 minutes, further evading behavioral analysis that correlates suspicious activity with application launch times.
Who Gains and Who Loses
Winners: Cybersecurity vendors offering advanced macOS threat detection, especially those using behavioral analysis and PAM monitoring. Cryptocurrency wallet providers may see increased demand for hardware wallets and multi-factor authentication as PamStealer targets ethereum accounts.
Losers: macOS users, particularly in enterprise environments and those holding cryptocurrency, face elevated risk of credential theft and financial loss. Apple's reputation may suffer as malware bypasses built-in protections like Gatekeeper and permission prompts. The open-source Maccy clipboard manager could see reduced trust due to impersonation.
Market Impact and Future Trends
PamStealer's use of Rust for the second stage is relatively uncommon among macOS infostealers, which typically use Swift, Go, or Objective-C. This may signal a broader adoption of Rust for cross-platform malware development. Additionally, the PAM-based validation technique could be adapted to other Unix-like systems, expanding the attack surface.
Security vendors will likely update detection rules for JXA downloaders, Rust Mach-O binaries, and delayed permission requests. Apple may also strengthen PAM security or add alerts for unexpected password prompts. However, as Jamf researchers concluded: "Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features."
Rate the Intelligence Signal
Intelligence FAQ
PamStealer uses macOS's Pluggable Authentication Modules (PAM) API to verify the password locally, without spawning external processes, ensuring only correct passwords are exfiltrated.
Its use of PAM for local validation, a Rust-based second stage, and delayed permission requests (up to 40 minutes) make it stealthier and harder to detect than typical infostealers.


