Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
PamStealer Targets Mac Users with Fake Maccy Websites

PamStealer Targets Mac Users with Fake Maccy Websites

Posted on July 3, 2026 By CWS

A recent cybersecurity threat has emerged, targeting Mac users through a new malware known as PamStealer. Identified by Jamf Threat Labs, this information-stealing software employs sophisticated tactics to infiltrate systems and extract sensitive data, posing significant risks to users’ privacy and security.

Deceptive Distribution Methods

PamStealer is distributed under the guise of a legitimate application, Maccy, a well-known open-source clipboard manager. The malware is introduced through a compiled AppleScript file masquerading as the authentic software, exploiting macOS Pluggable Authentication Modules (PAM) to verify and capture users’ login credentials before proceeding with its malicious activities.

The delivery mechanism involves a two-stage process. Initially, the malware is disseminated within a disk image containing a compiled AppleScript, which subsequently downloads and activates an additional payload. This secondary payload, a Rust-based infostealer, is adept at stealing credentials, gathering browser data, ensuring persistence, and exfiltrating valuable information.

Exploiting Lookalike Websites

The initial access vector utilizes a deceptive website, “maccyapp[.]com,” which closely resembles the legitimate Maccy site, “maccy.app.” Upon execution, the AppleScript, cleverly concealed within the disk image, leverages JavaScript for Automation (JXA) alongside native Objective-C APIs to download and stage the stealer payload.

A notable aspect of this attack is its ability to operate even when the file retains the com.apple.quarantine attribute, a security measure by Apple. This capability, coupled with the Rust-based second stage and password capture workflow through PAM, results in a stealthy execution chain that evades typical detection methods.

Targeted Execution and Data Exfiltration

PamStealer incorporates advanced techniques to ensure its execution only on compatible systems. It checks the host’s environment, confirming it runs on Apple Silicon by generating a unique key based on system details such as CPU architecture and locale. This key is pivotal in unlocking an encrypted configuration containing the payload URL and installation path.

On systems with Intel architecture or those in specific regions, primarily Eastern Europe, the decryption fails, preventing the malware from proceeding. Once active, the script contacts an external server, retrieving a Mach-O binary, disguised as the Finder app, which harvests data from browsers, cryptocurrency wallets, and more.

The malware further manipulates users into providing their system password by presenting a native prompt. Through repeated attempts, it ensures the correct password is obtained, subsequently displaying a decoy message that suggests the application is damaged and should be discarded, misleading victims into believing the download was unsuccessful.

Response from the Maccy Developer

This deceptive campaign has led Alex Rodionov, the creator of Maccy, to issue warnings on official platforms, cautioning users about fake websites that distribute malware under the guise of Maccy. He emphasizes that “maccy.app” is the sole legitimate source for the software.

The emergence of PamStealer highlights the evolving tactics of macOS malware, which increasingly adopt discrete execution methods and native implementations to bypass traditional security measures while maintaining compatibility with standard macOS functionalities.

The Hacker News Tags:AppleScript, cyber threats, Cybersecurity, fake Maccy sites, Mac password theft, Mac security, Malware, PAM authentication, PamStealer, Rust-based infostealer

Post navigation

Previous Post: Critical Flaws in WatchGuard Firebox OS Allow Code Execution
Next Post: Scattered Spider Hacker Extradited to US for Trial

Related Posts

Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks The Hacker News
Critical Dify Vulnerabilities Could Expose AI Data Critical Dify Vulnerabilities Could Expose AI Data The Hacker News
OpenAI Launches ChatGPT Health with Isolated, Encrypted Health Data Controls OpenAI Launches ChatGPT Health with Isolated, Encrypted Health Data Controls The Hacker News
Navigating the Mythos Era with Network Detection and Response Navigating the Mythos Era with Network Detection and Response The Hacker News
RubyGems, PyPI Hit by Malicious Packages Stealing Credentials, Crypto, Forcing Security Changes RubyGems, PyPI Hit by Malicious Packages Stealing Credentials, Crypto, Forcing Security Changes The Hacker News
Managing AI-Driven Phishing: Solutions for SOC Overload Managing AI-Driven Phishing: Solutions for SOC Overload The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Medtronic’s Major Data Breach: 3.8 Million Affected
  • North Korea-Linked Hackers Target Developers via JavaScript
  • Scattered Spider Hacker Extradited to US for Trial
  • PamStealer Targets Mac Users with Fake Maccy Websites
  • Critical Flaws in WatchGuard Firebox OS Allow Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Medtronic’s Major Data Breach: 3.8 Million Affected
  • North Korea-Linked Hackers Target Developers via JavaScript
  • Scattered Spider Hacker Extradited to US for Trial
  • PamStealer Targets Mac Users with Fake Maccy Websites
  • Critical Flaws in WatchGuard Firebox OS Allow Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark