Summary
- Jamf Threat Labs has discovered a new Rust-based infostealer masquerading as the Maccy clipboard manager.
- This malware verifies victims' passwords using macOS PAM before exfiltrating them.
- Researchers have also detected ClickFix-type malware being spread through sponsored ads on X.
Users of macOS looking for the open-source clipboard manager Maccy are being targeted by a counterfeit version that installs a Rust-based infostealer known as PamStealer, as reported by cybersecurity firm Jamf Threat Labs. If successful, this malware could compromise users’ passwords and cryptocurrency wallet keys.
In a report released on Thursday, Jamf Threat Labs revealed that the campaign employs a lookalike website to distribute a disk image containing a malicious AppleScript file named Maccy.scpt. When executed, the file provides instructions for running it in Apple's Script Editor, concealing the harmful code further down in the document.
“We refer to this malware as PamStealer due to its primary function: verifying the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before stealing it,” stated Jamf Threat Labs.
Subsequently, the malware utilizes JavaScript for Automation and native macOS APIs to download a secondary payload without depending on typical shell utilities like curl or zsh, which minimizes the visibility of its processes to security software.
“We have observed attackers buying Google Ad space to attract users to the malicious application. Recently, we have also detected harmful ads hosted on X,” noted Jamf Threat Labs Director Jaron Bradley in an interview with Decrypt. “These social engineering tactics have proven to be very effective.”
The report indicates that the second stage involves a Rust-based binary intended for Apple Silicon Macs, camouflaging itself as Finder or Software Update.
“Instead of keeping its configuration in plaintext, the dropper generates a key from a fingerprint of the host, including attributes like CPU architecture, locale, keyboard layout, and time zone, which it uses to decrypt an encrypted configuration that contains the payload URL and installation path,” the firm explained.
Once it is installed, the malware can extract browser credentials and Keychain information, monitor clipboard activities, maintain persistence, and send the stolen data to a remote command-and-control server through encrypted channels. If it cannot confirm that it is operating on its intended target, it will silently deactivate itself.
The malware also seeks to broaden its access by presenting a fake Finder alert that requests users to provide Full Disk Access. This prompt may appear up to 40 minutes post-infection, reducing the likelihood that users will connect it to the initial download. If granted, the malware gains access to sensitive data, including Mail, Messages, and Time Machine backups.
Bradley stated that while Jamf has not found any proof that PamStealer is currently in use, the company has informed Apple of its findings. Apple did not immediately respond to a request for comment from Decrypt.
Jamf has noted that similar social engineering strategies are emerging on other platforms.
In a recent post on X, the company mentioned investigating a sponsored ad promoting DynamicLake that redirected users to dynamicmacisland[.]com, where they were instructed to open Terminal and execute an installation command.
“The advertisement was disseminated through a verified X account, adding an additional layer of trust to the social engineering,” the firm stated. “Analysis of the payload indicated it was a recent variant of the Atomic (MacSync) Stealer.”
These findings highlight how attackers are increasingly camouflaging malware as legitimate software while exploiting trusted developer platforms and advertising channels. Recent incidents include a counterfeit OpenAI repository that became popular on Hugging Face before distributing a Rust-based infostealer, a malicious Visual Studio Code extension that GitHub reported compromised around 3,800 internal repositories, and the Shai-Hulud software supply-chain campaign targeting development tools utilized by AI firms like OpenAI and Mistral AI.
