PamStealer Discovered: A New Information-Stealing Malware Targeting macOS
Jamf researchers uncover PamStealer, a sophisticated macOS malware featuring PAM-based password verification, AppleScript execution, and Rust-based payloads.
A new information-stealing malware targeting macOS, named “PamStealer,” has been discovered. This development was reported by the research team at the cybersecurity firm Jamf. The malware exploits the Pluggable Authentication Modules (PAM) interface to validate the login passwords of its targets before transmitting them to an attacker-controlled server. This characteristic has drawn significant attention from the cybersecurity industry as a telling example of the evolving threats against macOS.
Two-Stage Delivery Mechanism
PamStealer employs a two-stage delivery chain. The first stage involves distributing a disk image disguised as the macOS clipboard management app “Maccy.” This disk image contains a compiled AppleScript. When users double-click the file, intending to install Maccy, macOS’s Script Editor is triggered, executing the malicious code.
Typically, executable files downloaded on macOS are tagged with the com.apple.quarantine attribute, which prompts a security warning. However, PamStealer bypasses this by instructing users to press the Command+R keys immediately after double-clicking the file. This action causes the malicious code within the AppleScript to execute directly, effectively bypassing the quarantine attribute. Jamf researchers noted, “This method of using a clickable .scpt file and the Script Editor is gradually being adopted in the macOS threat landscape.”
Self-Contained JXA Downloader
PamStealer’s first stage is unique in that it includes a self-contained downloader built with JavaScript for Automation (JXA) rather than relying on traditional shell commands like curl or zsh. The JXA code is embedded within the AppleScript and directly calls native Objective-C APIs.
According to Jamf’s analysis, “When opened in the standard Script Editor, the AppleScript conceals its malicious functions deep within its file structure.” This design makes it harder for static signature-based detection mechanisms to identify the malware. Researchers have stated, “The use of a JXA downloader that does not rely on shell commands creates a stealthier execution chain compared to traditional macOS information-stealing malware.”
Rust-Implemented Second Stage
The second-stage payload is an information-stealing module written in the Rust programming language. This module mimics the system process “Finder” while encrypting communications with its command-and-control (C2) server. Moreover, it strategically delays the display of a dialog box requesting Full Disk Access permissions by up to 40 minutes. This delay makes it more difficult for users to associate the malware’s execution with the installation action.
The use of Rust offers dual advantages: it enables smaller and more obfuscated executable files and enhances memory safety, making binary analysis and behavioral detection by security software more challenging. Jamf’s report noted, “PamStealer’s second stage demonstrates significant effort to minimize detection.”
Password Verification via PAM
The misuse of PAM (Pluggable Authentication Modules), from which the malware derives its name, is one of PamStealer’s most notable techniques. PAM is a standard authentication framework built into macOS, used for verifying login passwords. PamStealer uses PAM to locally validate stolen passwords before transmitting them to the attacker’s server.
This mechanism provides two key advantages. First, it minimizes the risk of sending invalid passwords and thereby reduces unnecessary C2 traffic. Second, attackers can ensure they only obtain valid passwords, increasing the success rate of secondary attacks, such as account takeovers. Jamf researchers remarked, “The workflow of locally verifying passwords through PAM before exfiltrating them is unprecedented among observed macOS information-stealing malware.”
Overall Design for Evasion
PamStealer’s design philosophy is consistently centered on “stealthy execution.” While the combination of disk images and AppleScript has been observed in previous macOS malware, the integration of a JXA downloader, Rust-based payload, and PAM-based password verification is a first. This combination of elements makes it more likely to evade traditional antivirus and Endpoint Detection and Response (EDR) systems.
Notably, the encryption of C2 communications and the masquerading as Finder enhance its ability to bypass both network and process monitoring. Additionally, delaying the Full Disk Access request prevents users from linking the malware’s installation with the permission dialog. Jamf concluded, “These behaviors illustrate how commodity-level macOS information-stealing malware is evolving.”
Implications and Future Outlook
The discovery of PamStealer highlights the increasing sophistication of threats targeting the macOS platform. Historically, macOS has been less frequently targeted by malware compared to Windows. However, recent years have seen a surge in the development of information-stealing malware for macOS. While Apple has strengthened its security mechanisms, such as Gatekeeper and Notarization, techniques like those employed by PamStealer—which exploit legitimate functions like Script Editor and PAM—may render traditional defenses insufficient.
Enterprise security teams must enhance endpoint behavior monitoring and analyze the behavior of legitimate script execution. As attacks leveraging AppleScript and JXA are expected to increase, insights from macOS-focused security vendors like Jamf are becoming increasingly vital.
Editorial Opinion
PamStealer serves as a clear example of how macOS malware is rapidly achieving “Windows-level stealth.” In the short term, we can expect variants and imitators to emerge, especially those adopting PAM-based password verification, a highly practical tool for attackers. Security vendors should prioritize developing signatures to monitor PAM calls and detect anomalous behavior in Script Editor and JXA operations.
From a long-term perspective, the discovery raises questions about the macOS security model itself. While Apple has historically relied on tight hardware-software integration for security, the evolution of attacks exploiting legitimate APIs and frameworks could erode this advantage. In the future, measures such as adding permission prompts for PAM calls and restricting privilege escalation during script execution may need to be considered.
References
- Ars Technica — Published on 2026-07-02
Frequently Asked Questions
- How does PamStealer bypass macOS's quarantine attribute?
- After users open the disk image, they are prompted to press the Command+R keys, which directly executes the malicious code within the AppleScript. This bypasses the com.apple.quarantine attribute typically assigned to downloaded files, preventing security warnings from being displayed.
- What are the advantages for attackers in exploiting PAM?
- By locally verifying stolen passwords using PAM, attackers can avoid transmitting invalid passwords to the C2 server, which reduces unnecessary traffic. Additionally, it ensures that attackers only acquire valid passwords, increasing the success rate of secondary attacks such as account takeovers.
- How does PamStealer evade detection?
- PamStealer combines several techniques, including Rust-based binary obfuscation, Finder impersonation, encrypted C2 communications, and a 40-minute delay for Full Disk Access requests. It also embeds a JXA downloader within AppleScript, differentiating its behavior from traditional shell command-based macOS malware. ## References - [Newly discovered PamStealer isn't your typical macOS malware - Ars Technica](https://arstechnica.com/security/2026/07/new-pamstealer-macos-malware-uses-clever-tradecraft-to-remain-stealthy/) — Published on 2026-07-02
Comments