
PamStealer Validates macOS Login Passwords via PAM Before Exfiltrating to avenger-sync.live
PamStealer uses a region-aware AppleScript dropper and PAM password validation to steal macOS credentials from users lured to fake Maccy sites. The Rust payload evades quarantine and targets only Apple Silicon systems outside targeted countries. Immediate risk exists for any Mac user downloading clipboard utilities from lookalike domains.
The two-stage chain begins with a quarantined .scpt file hosted on a Maccy lookalike domain. Execution via Script Editor triggers a JXA downloader that derives an AES key from CPU architecture, keyboard layout, and timezone. Only Apple Silicon systems outside Eastern Europe receive the Mach-O binary masquerading as Finder, which then harvests iCloud Keychain, browser data, and clipboard contents before the PAM validation loop begins.
Jamf Threat Labs analysis shows the dropper aborts in sandboxes and on Intel hardware while the Rust stage registers persistence and sends encrypted POSTs to avenger-sync.live. This matches patterns in prior macOS stealers that abuse native Objective-C APIs and Gatekeeper messages, yet adds an explicit credential correctness check absent in most commodity samples.
The operational shift toward local PAM validation reduces noisy failed logins and produces cleaner credential sets for resale. Defenders should monitor for new .scpt droppers mimicking other open-source utilities and expect the same fingerprint-plus-PAM template to appear in campaigns against additional clipboard and productivity tools within the next quarter.
SENTINEL: At least two additional open-source Mac utilities will host PamStealer variants within 60 days.
Sources (2)
- [1]Primary Source(https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html)
- [2]Supporting Source(https://www.jamf.com/blog/threat-labs-pamstealer-analysis)