Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
PamStealer Targets Mac Users with Fake Maccy Websites

PamStealer Targets Mac Users with Fake Maccy Websites

Posted on July 3, 2026 By CWS

A recent cybersecurity threat has emerged, targeting Mac users through a new malware known as PamStealer. Identified by Jamf Threat Labs, this information-stealing software employs sophisticated tactics to infiltrate systems and extract sensitive data, posing significant risks to users’ privacy and security.

Deceptive Distribution Methods

PamStealer is distributed under the guise of a legitimate application, Maccy, a well-known open-source clipboard manager. The malware is introduced through a compiled AppleScript file masquerading as the authentic software, exploiting macOS Pluggable Authentication Modules (PAM) to verify and capture users’ login credentials before proceeding with its malicious activities.

The delivery mechanism involves a two-stage process. Initially, the malware is disseminated within a disk image containing a compiled AppleScript, which subsequently downloads and activates an additional payload. This secondary payload, a Rust-based infostealer, is adept at stealing credentials, gathering browser data, ensuring persistence, and exfiltrating valuable information.

Exploiting Lookalike Websites

The initial access vector utilizes a deceptive website, “maccyapp[.]com,” which closely resembles the legitimate Maccy site, “maccy.app.” Upon execution, the AppleScript, cleverly concealed within the disk image, leverages JavaScript for Automation (JXA) alongside native Objective-C APIs to download and stage the stealer payload.

A notable aspect of this attack is its ability to operate even when the file retains the com.apple.quarantine attribute, a security measure by Apple. This capability, coupled with the Rust-based second stage and password capture workflow through PAM, results in a stealthy execution chain that evades typical detection methods.

Targeted Execution and Data Exfiltration

PamStealer incorporates advanced techniques to ensure its execution only on compatible systems. It checks the host’s environment, confirming it runs on Apple Silicon by generating a unique key based on system details such as CPU architecture and locale. This key is pivotal in unlocking an encrypted configuration containing the payload URL and installation path.

On systems with Intel architecture or those in specific regions, primarily Eastern Europe, the decryption fails, preventing the malware from proceeding. Once active, the script contacts an external server, retrieving a Mach-O binary, disguised as the Finder app, which harvests data from browsers, cryptocurrency wallets, and more.

The malware further manipulates users into providing their system password by presenting a native prompt. Through repeated attempts, it ensures the correct password is obtained, subsequently displaying a decoy message that suggests the application is damaged and should be discarded, misleading victims into believing the download was unsuccessful.

Response from the Maccy Developer

This deceptive campaign has led Alex Rodionov, the creator of Maccy, to issue warnings on official platforms, cautioning users about fake websites that distribute malware under the guise of Maccy. He emphasizes that “maccy.app” is the sole legitimate source for the software.

The emergence of PamStealer highlights the evolving tactics of macOS malware, which increasingly adopt discrete execution methods and native implementations to bypass traditional security measures while maintaining compatibility with standard macOS functionalities.

The Hacker News Tags:AppleScript, cyber threats, Cybersecurity, fake Maccy sites, Mac password theft, Mac security, Malware, PAM authentication, PamStealer, Rust-based infostealer

Post navigation

Previous Post: Critical Flaws in WatchGuard Firebox OS Allow Code Execution
Next Post: Scattered Spider Hacker Extradited to US for Trial

Related Posts

VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption The Hacker News
Linux-Based Lenovo Webcams’ Flaw Can Be Remotely Exploited for BadUSB Attacks Linux-Based Lenovo Webcams’ Flaw Can Be Remotely Exploited for BadUSB Attacks The Hacker News
CISA Directs Agencies to Remove Outdated Edge Devices CISA Directs Agencies to Remove Outdated Edge Devices The Hacker News
Why Exposed Credentials Remain Unfixed—and How to Change That Why Exposed Credentials Remain Unfixed—and How to Change That The Hacker News
Pro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games Pro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games The Hacker News
AI Model Unveils Software Flaws, Raises Fixing Concerns AI Model Unveils Software Flaws, Raises Fixing Concerns The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • European Parliament Member’s Phone Compromised with Pegasus
  • iPhone’s New Feature to Combat Real-Time Scams
  • Medtronic’s Major Data Breach: 3.8 Million Affected
  • North Korea-Linked Hackers Target Developers via JavaScript
  • Scattered Spider Hacker Extradited to US for Trial

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • European Parliament Member’s Phone Compromised with Pegasus
  • iPhone’s New Feature to Combat Real-Time Scams
  • Medtronic’s Major Data Breach: 3.8 Million Affected
  • North Korea-Linked Hackers Target Developers via JavaScript
  • Scattered Spider Hacker Extradited to US for Trial

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark