Introduction
Long regarded as a secondary target, macOS endpoints in enterprise environments have become active hunting grounds for cybercriminal groups. The discovery of PamStealer by researchers at Jamf Threat Labs marks a qualitative shift: macOS-targeting infostealers are no longer simply imitating their Windows counterparts. They are now developing techniques native to the Apple ecosystem—stealthier, and significantly harder to counter.
A Two-Stage Infection Engineered to Evade Defenses
PamStealer spreads by impersonating Maccy, a legitimate and widely used open-source clipboard manager for macOS. The victim downloads a disk image from a typosquatting domain and finds a compiled AppleScript file inside. This unassuming dropper then fetches a second component: a Mach-O binary written in Rust, which handles the actual data theft.
The choice of Rust is no accident. The language produces compact binaries that are difficult to analyze statically, and whose signatures don't reliably trigger traditional security tooling.
Validating Credentials Before Exfiltrating Them
PamStealer's most notable technique concerns credential handling. After presenting a fake authentication dialog—visually indistinguishable from a native Apple system prompt—the malware does not immediately transmit the password entered by the user. Instead, it first validates it locally by calling macOS's PAM (Pluggable Authentication Modules) API, without spawning any third-party process or invoking detectable system utilities. Only confirmed, valid credentials are then exfiltrated to the attacker's infrastructure.
Beyond the session password, the malware harvests browser databases, Keychain secrets, cryptocurrency wallet data, and clipboard content captured periodically via the pbpaste utility.
Carefully Layered Evasion
PamStealer deploys several mechanisms to stay under the radar. The fraudulent UI text incorporates homoglyphs—Cyrillic or Greek characters visually identical to their Latin equivalents—to bypass string-based detection rules. The malware's configuration is encrypted and only decrypted using a fingerprint of the host machine (CPU architecture, system language, keyboard layout, time zone), making out-of-context analysis largely inconclusive.
The Rust component loads Security.framework dynamically at runtime rather than linking it statically, concealing its capabilities from conventional binary analysis. The application also detects sandbox and analysis environments, and checks System Integrity Protection status before executing. Russian time zones and CIS countries are automatically excluded—a standard practice among groups seeking to avoid scrutiny from local authorities.
What IT and Security Teams Need to Take Away
PamStealer doesn't appear in isolation. Infostealers now represent the leading category of new malware targeting macOS, with a rise of more than 100% recorded across the final quarters of 2024. Families such as AMOS (Atomic macOS Stealer) are sold as turnkey services on private channels, accessible for as little as a few thousand dollars per month.
For CIOs and CISOs managing macOS fleets, this malware makes one thing concrete: Apple's platform security reputation is no longer a substitute for rigorous endpoint management. Detecting these threats requires behavioral visibility—monitoring unusual authentication calls, processes launched without a visible UI, and outbound connections to unknown domains—that conventional antivirus tools alone rarely deliver.
The question is no longer whether enterprise Macs will be targeted. It's how precisely, and how quickly, security teams can respond.

