
Fake Maccy app spreads password-stealing malware
- Jamf Threat Labs identified a fake version of the Maccy clipboard manager that installs a new Rust-based macOS malware called PamStealer.
- The malware validates user passwords before stealing credentials, crypto wallet data and other sensitive information from infected Macs.
- Researchers also warned that attackers are increasingly using sponsored advertisements and fake software websites to distribute malware.
Jamf Threat Labs has identified a fake version of the Maccy clipboard manager that distributes a new Rust-based macOS infostealer called PamStealer, which is designed to steal passwords, crypto wallet credentials and other sensitive user data.
The campaign uses a lookalike website hosting a malicious AppleScript file that instructs users to run it in Apple's Script Editor before downloading a second-stage malware payload designed for Apple Silicon Macs.
"We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim's login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it," Jamf Threat Labs said.
Once installed, the malware can steal browser credentials and macOS Keychain data, monitor clipboard activity, establish persistence and communicate with remote command-and-control servers, while also displaying a fake Finder prompt requesting Full Disk Access to expand its permissions.
Jamf said it has not observed evidence that PamStealer is actively infecting users but has reported its findings to Apple, while researchers also identified a separate campaign using a sponsored advertisement on X to distribute another macOS infostealer known as Atomic Stealer.
Jamf Threat Labs Director Jaron Bradley said attackers are increasingly using trusted advertising platforms and social engineering techniques to convince users to install malicious software, including sponsored advertisements on X alongside traditional search advertising.
The findings add to a broader trend of cybercriminals disguising malware as legitimate software, with recent campaigns also targeting developer platforms, open-source repositories and software development tools used by artificial intelligence companies.