New Mac Malware Validates Passwords Before Stealing Data

Laptop displaying a malware warning symbol on its screen.

Cybersecurity researchers have uncovered a new piece of macOS malware that takes credential theft to another level. The malicious software, called PamStealer, does not simply collect passwords. Instead, it checks whether a stolen password is valid before launching a wider data theft operation.

The malware was identified by researchers at Jamf Threat Labs, who say the campaign targets Mac users through fake software downloads. Attackers disguise the malware as the popular Maccy clipboard manager and trick victims into installing it.

Laptop displaying a malware warning symbol on its screen.

Fake App Opens the Door

The attack begins with a fraudulent website that closely resembles Maccy’s official download page. Once users install the fake application, it retrieves a second-stage payload written in the Rust programming language. The malware then establishes persistence on the device and begins gathering information.

Unlike many infostealers, PamStealer uses Apple’s Pluggable Authentication Modules to verify login credentials. Therefore, cybercriminals immediately know whether a captured password works and can focus only on valuable accounts.

Researchers also found that the malware checks keyboard layouts, regional settings, and other system details before running. These checks suggest the attackers carefully select their intended victims.

Wide Range of Data at Risk

After confirming the password, PamStealer targets a broad collection of personal information. It can steal browser cookies, saved passwords, browsing history, clipboard contents, database files, and even cryptocurrency wallet data. Furthermore, it encrypts the stolen information before sending it to remote servers, making the activity harder to detect.

The malware also attempts to gain Full Disk Access by impersonating Finder. If successful, it can access significantly more information stored on the Mac.

Experts Urge Caution

Security experts warn that PamStealer shows how cybercriminals increasingly abuse legitimate macOS features instead of relying on unknown software flaws. The attack depends heavily on user actions, including downloading software from untrusted sources and approving suspicious prompts.

Researchers advise Mac users to download apps only from trusted developers and carefully review any request for administrator passwords or Full Disk Access permissions. Keeping macOS and security tools updated can also help block threats before they cause serious damage.

SOURCES:Jamf
Share This Article