
In short
- Jamf Threat Labs has identified a new Rust-based macOS infostealer that appears to be a Maccy board administrator.
- The malware verifies victims’ passwords via macOS PAM before stealing them.
- Researchers also observed the ClickFix malware that was delivered through ad-supported applications on X.
Mac users looking for Maccy’s open-board manager are being targeted by a fake program that installs a new Rust-based program called PamStealer, according to cybersecurity firm Jamf Threat Labs. If successful, the malware can steal users’ passwords and crypto wallet keys.
In a report published Thursday, Jamf Threat Labs said the campaign uses a similar site to distribute a disk image containing a malicious AppleScript file called Maccy.scpt. When opened, the file displays instructions that tell users to run it in Apple’s Script Editor while hiding the malicious code beyond the document.
“We are tracking this malware under the name PamStealer after one of its main tasks: verifying the victim’s password via macOS Pluggable Authentication Modules (PAM) before harvesting,” Jamf Threat Labs wrote.
From there, the malware uses JavaScript for Automation and native macOS APIs to download secondary payloads independent of shell tools such as curl or zsh, reducing the number of security measures it can see.
“With so many hackers, we’ve seen people buying Google Ad space to lure users into malicious software. We’ve also seen malicious ads run on X,” said Jamf Threat Labs Director Jaron Bradley. Decrypt. “These social media strategies have proven to be very successful.”
According to the report, the second part is a binary-based tool designed for Apple Silicon Macs that disguises itself as Finder or Software Update.
“Instead of storing the configuration in plain text, the downloader takes the key from the recipient’s fingerprint, including the CPU configuration, location, keyboard layout, and time period – and uses it to unlock the encrypted configuration containing the payment link and installation method,” the company said.
Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, set persistence, and send stolen information to a remote command and control server using encrypted messages. If it can’t confirm that it’s running on its target, then it shuts itself down silently.
The malware also tries to maximize its chances by displaying a fake Finder alert asking users to grant Full Disk Access. The acceleration can be seen within 40 minutes after the illness, which makes users connect with the original download. If accepted, the malware can access protected information, including Mail, Messages, and Time Machine backups.
According to Bradley, Jamf has not seen any evidence of PamStealer operating in the wild; however, the company informed Apple about its findings. Apple did not immediately respond to a request for comment Decrypt.
Jamf said he sees similar technology trends spreading to other platforms.
In a X post last week, the company said it was investigating an X-supported ad promoting DynamicLake that sent users to dynamicmacisland(.)com, where they were instructed to open Terminal and run the installation command.
“The ad was delivered through X’s verified account, adding some confidence to the engineering,” the company wrote. “An analysis of the payload revealed the latest version of Atomic (MacSync) Stealer.”
The findings come as attackers are disguising malware as legitimate software and exploiting trusted platforms and advertising channels. Recent campaigns have included fake OpenAI storage which culminated in the Hugging Face projects before sharing the Rust-based infostealer, a malicious extension of Visual Studio Code that GitHub said exposed approx. 3,800 internal repositories, and Shai-Hulud A campaign to provide a referral program for development tools used by AI companies including OpenAI and Mistral AI.
Daily Debrief A letter
Start each day with top stories right here, including originals, podcasts, videos and more.





