Cybersecurity researchers have uncovered a new piece of macOS malware that takes credential theft to another level. The malicious software, called PamStealer, does not simply collect passwords. Instead, it checks whether a stolen password is valid before launching a wider data theft operation.
The malware was identified by researchers at Jamf Threat Labs, who say the campaign targets Mac users through fake software downloads. Attackers disguise the malware as the popular Maccy clipboard manager and trick victims into installing it.

Fake App Opens the Door
The attack begins with a fraudulent website that closely resembles Maccy’s official download page. Once users install the fake application, it retrieves a second-stage payload written in the Rust programming language. The malware then establishes persistence on the device and begins gathering information.
Unlike many infostealers, PamStealer uses Apple’s Pluggable Authentication Modules to verify login credentials. Therefore, cybercriminals immediately know whether a captured password works and can focus only on valuable accounts.
Researchers also found that the malware checks keyboard layouts, regional settings, and other system details before running. These checks suggest the attackers carefully select their intended victims.
Wide Range of Data at Risk
After confirming the password, PamStealer targets a broad collection of personal information. It can steal browser cookies, saved passwords, browsing history, clipboard contents, database files, and even cryptocurrency wallet data. Furthermore, it encrypts the stolen information before sending it to remote servers, making the activity harder to detect.
The malware also attempts to gain Full Disk Access by impersonating Finder. If successful, it can access significantly more information stored on the Mac.
Experts Urge Caution
Security experts warn that PamStealer shows how cybercriminals increasingly abuse legitimate macOS features instead of relying on unknown software flaws. The attack depends heavily on user actions, including downloading software from untrusted sources and approving suspicious prompts.
Researchers advise Mac users to download apps only from trusted developers and carefully review any request for administrator passwords or Full Disk Access permissions. Keeping macOS and security tools updated can also help block threats before they cause serious damage.











