Eilmeldung
CN中聯油脂沙拉油含苯駢芘超標 衛福部遭疑放寬下架標準UKAzteca Stadium Issues Shelter-in-Place Due to Severe Weather Ahead of Mexico vs. England World Cup MatchRUБруно Гимарайнс стал первым бразильцем с 1986 года, не реализовавшим пенальти на ЧМESNikola Kusturica, la perla del Barça, apunta a la NCAAAUNaomi Osaka stuns Aryna Sabalenka to reach Wimbledon quarter-finalsESIsmail Elfath, de nuevo en el ojo del huracán por un penalti no pitado en el Brasil-NoruegaCN詐騙集團車手遭重判9年以上,法官:量刑過輕變相鼓勵犯罪CN台灣民眾「拒統」趨勢變化ARشالكه يبدأ استعداداته للموسم الجديد وسط غموض حول مستقبل دجيكو وفرنسا تتأهل لربع نهائي كأس العالمCN假中獎發票詐騙陷阱 工程師慘賠78萬CN中聯油脂沙拉油含苯駢芘超標 衛福部遭疑放寬下架標準UKAzteca Stadium Issues Shelter-in-Place Due to Severe Weather Ahead of Mexico vs. England World Cup MatchRUБруно Гимарайнс стал первым бразильцем с 1986 года, не реализовавшим пенальти на ЧМESNikola Kusturica, la perla del Barça, apunta a la NCAAAUNaomi Osaka stuns Aryna Sabalenka to reach Wimbledon quarter-finalsESIsmail Elfath, de nuevo en el ojo del huracán por un penalti no pitado en el Brasil-NoruegaCN詐騙集團車手遭重判9年以上,法官:量刑過輕變相鼓勵犯罪CN台灣民眾「拒統」趨勢變化ARشالكه يبدأ استعداداته للموسم الجديد وسط غموض حول مستقبل دجيكو وفرنسا تتأهل لربع نهائي كأس العالمCN假中獎發票詐騙陷阱 工程師慘賠78萬
Newsgather
BackMaccy Users Targeted by New Rust-Based Infostealer, PamStealer
Maccy Users Targeted by New Rust-Based Infostealer, PamStealer
In Entwicklung
Decrypt6 sa önceTechnik3 dk okuma

Maccy Users Targeted by New Rust-Based Infostealer, PamStealer

Auf einen Blick

  • Mac users seeking the Maccy clipboard manager are being targeted by a fake version distributing PamStealer, a new Rust-based infostealer.
  • The malware, distributed via lookalike websites and malicious ads, can steal passwords, crypto keys, and sensitive data by exploiting macOS features and requesting Full Disk Access.

KI-generierte Zusammenfassung

Warum es wichtig ist

A new Rust-based infostealer named PamStealer is targeting Mac users by impersonating the open-source clipboard manager Maccy. The malware is distributed through fake websites and malicious ads, aiming to steal sensitive information.

Schriftgröße

Mac users searching for the open-source clipboard manager Maccy are being targeted by a fake version of the app that installs a new Rust-based infostealer dubbed PamStealer, according to cybersecurity firm Jamf Threat Labs.

If successful, the malware could steal users’ passwords and crypto wallet keys.

In a report published on Thursday, Jamf Threat Labs said the campaign uses a lookalike website to distribute a disk image containing a malicious AppleScript file named Maccy.scpt. When opened, the file displays instructions telling users to run it in Apple's Script Editor while hiding the malicious code further down the document.

“We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it,” Jamf Threat Labs wrote.

From there, the malware uses JavaScript for Automation and native macOS APIs to download a second-stage payload without relying on common shell utilities such as curl or zsh, reducing the number of processes security tools can observe.

"With many stealers, we have seen attackers purchasing Google Ad space to lure users to the malicious app. We have recently observed malicious ads being hosted on X as well,” Jamf Threat Labs Director Jaron Bradley told Decrypt. “These social engineering techniques have proven to be highly successful."

According to the report, the second stage is a Rust-based binary designed for Apple Silicon Macs that disguises itself as Finder or Software Update.

“Rather than storing its configuration in cleartext, the dropper derives a key from a fingerprint of the host—including its CPU architecture, locale, keyboard layout, and time zone—and uses it to unlock an encrypted, integrity-checked configuration containing the payload URL and installation path,” the company said.

Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, establish persistence, and send stolen information to a remote command-and-control server using encrypted communications. If it can't verify that it's running on its intended target, then it quietly shuts itself down.

The malware also attempts to expand its access by displaying a fake Finder alert asking users to grant Full Disk Access. The prompt can appear up to 40 minutes after infection, making it less likely that users will associate it with the original download. If approved, the malware can access protected data, including Mail, Messages, and Time Machine backups.

According to Bradley, Jamf has not observed any evidence that PamStealer is active in the wild; however, the company notified Apple of its findings. Apple did not immediately respond to a request for comment by Decrypt.

Jamf said it is seeing similar social engineering techniques spread to other platforms.

In an X post last week, the company said it was investigating a sponsored advertisement on X promoting DynamicLake that redirected users to dynamicmacisland[.]com, where they were instructed to open Terminal and execute an installation command.

“The advertisement was delivered through a verified X account, adding another layer of trust to the social engineering,” the firm wrote. “Analysis of the payload revealed a recent Atomic (MacSync) Stealer variant.”

Worauf zu achten ist

KI-Ausblick — Möglichkeiten, keine Fakten

  • PamStealer variants may evolve to evade detection.

    Wahrscheinlich · Innerhalb von Monaten

  • Apple will likely release security updates to counter PamStealer.

    Wahrscheinlich · Innerhalb von Wochen

Offene Fragen

  • How widespread is the PamStealer infection?
  • What is the full extent of data compromised?
  • Will Apple implement further protections?

Verwandte Themen

This article was originally published by Decrypt.

Ähnliche Meldungen

Mehr zu diesem ThemamacOS