PamStealer macOS malware validates credentials via PAM before Rust-based exfiltration
PamStealer introduces PAM-based local password validation and JXA dropper execution to macOS credential theft. The technique reduces traditional detection opportunities while remaining compatible with native system features. Detection requires behavioral updates focused on delayed privilege prompts and encrypted C2 from Finder-masquerading processes.
The malware arrives in two stages. A disk image prompts Command-R after double-click to execute buried AppleScript that launches a self-contained JavaScript for Automation downloader. This retrieves a Rust payload impersonating Finder.app or Software Update.app under com.apple bundles. The second stage delays Full Disk Access prompts up to 40 minutes, encrypts C2 traffic, and avoids shell commands to reduce detection surface.
Jamf analysis documents the PAM workflow that authenticates credentials against local macOS modules before exfiltration, a technique not present in prior commodity stealers such as those tracked under MITRE ATT&CK T1555.003. The approach bypasses com.apple.quarantine via Script Editor execution and aligns with observed shifts in 2024-2025 macOS campaigns that favor native Objective-C APIs over curl or zsh.
Operational impact centers on reduced telemetry. Standard endpoint rules targeting process creation or network calls miss the JXA-to-Rust chain and PAM validation step. Enterprises running Jamf Protect or equivalent will require updated behavioral signatures; consumer users face elevated risk once samples proliferate beyond the initial observed variants.
Deployment patterns indicate continued refinement of delivery lures around clipboard utilities and script-based droppers. Future samples are expected to rotate bundle identifiers more rapidly while retaining the PAM credential gate.
Jamf Threat Labs: at least two additional PamStealer variants with rotated bundle IDs will appear in public samples within 90 days
Sources (3)
- [1]Jamf Threat Research Report on PamStealer(https://www.jamf.com/blog/pamstealer-macos-malware-analysis/)
- [2]Ars Technica coverage of PamStealer(https://arstechnica.com/security/2026/07/new-pamstealer-macos-malware-uses-clever-tradecraft-to-remain-stealthy/)
- [3]MITRE ATT&CK T1555 Credential Access(https://attack.mitre.org/techniques/T1555/)