{"id":14079,"date":"2026-07-04T10:03:44","date_gmt":"2026-07-04T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/pamstealer-mimics-maccy-clipboard-manager-silently-harvests-data-and-clipboard-contents\/"},"modified":"2026-07-04T10:03:44","modified_gmt":"2026-07-04T10:03:44","slug":"pamstealer-mimics-maccy-clipboard-manager-silently-harvests-data-and-clipboard-contents","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/pamstealer-mimics-maccy-clipboard-manager-silently-harvests-data-and-clipboard-contents\/","title":{"rendered":"PamStealer Mimics Maccy Clipboard Manager Silently Harvests Data and Clipboard Contents"},"content":{"rendered":"<p>    PamStealer Mimics Maccy Clipboard Manager Silently Harvests Data and Clipboard Contents<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">PamStealer is a newly identified <a href=\"https:\/\/cybersecuritynews.com\/malvertising-campaign-delivers-amos-malext-macos-infostealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS infostealer<\/a> that disguises itself as the popular open-source clipboard manager \u201cMaccy\u201d while silently harvesting sensitive user data.<\/p>\n<p class=\"wp-block-paragraph\">Discovered by Jamf Threat Labs, the malware uses a stealthy two-stage infection chain designed to evade detection and blend into normal macOS activity.<\/p>\n<p class=\"wp-block-paragraph\">The attack begins with a malicious disk image file named \u201cMaccy.dmg,\u201d which contains a compiled AppleScript file (.scpt).<\/p>\n<p class=\"wp-block-paragraph\">When opened, the file displays harmless-looking instructions prompting the user to press Run. This simple social engineering trick triggers the hidden malicious code embedded deep within the script.<\/p>\n<p class=\"wp-block-paragraph\">In the first stage, the AppleScript acts as a lightweight dropper. Instead of relying on common command-line tools like curl or zsh, it executes a JavaScript for Automation (JXA) payload using native macOS APIs such as NSURLSession.<\/p>\n<h2 id=\"h-pamstealer-steals-maccy-clipboard-data\" class=\"wp-block-heading\"><strong>PamStealer Steals Maccy Clipboard Data<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">This approach reduces visible system activity and avoids raising suspicion. The script downloads a second-stage payload and installs it on the system, often masquerading as a legitimate macOS component, such as Finder or Software Update.<\/p>\n<p class=\"wp-block-paragraph\">PamStealer includes environment-aware checks before executing. It generates a unique key based on system attributes such as CPU architecture, locale, and time zone.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjUCKX1BlVm4MVrkqAItO8t-5X-sSIchwff8DpJQxHwCksOmYTWNZMV8ApVGORCC4kJStAILSeC7eLQQ7_4YQiz5omHzNZycycupQCD9awxeSNt3-bBmbPAeK1mJwdv_t1f_lITftKyZpURUlbfGciHK8l6yQGIWriL7DH3Z_IlmCiOJKsepjTGy92-T1A\/s1600\/Screenshot%25202026-07-03%2520191431%2520%25281%2529.webp?ssl=1\" alt=\"A fake Maccy clipboard manager distributed via a disk image ( source :Jamf Threat Labs)\"><figcaption class=\"wp-element-caption\">A fake Maccy clipboard manager distributed via a disk image ( source: Jamf Threat Labs)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">If the device does not match the expected profile, the malware silently exits. It also avoids systems in specific regions, including Russia and neighboring countries, by checking language settings and keyboard layouts.<\/p>\n<p class=\"wp-block-paragraph\">The second stage is a Rust-based Mach-O binary, which is relatively uncommon in <a href=\"https:\/\/cybersecuritynews.com\/macos-malware-leverages-google-ads\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS malware<\/a>. This infostealer performs a range of malicious activities, including credential theft, clipboard monitoring, and data exfiltration.<\/p>\n<p class=\"wp-block-paragraph\">It accesses browser databases using SQLite to extract stored passwords, cookies, and wallet data. It also dynamically loads macOS Security frameworks to access Keychain data without exposing its capabilities during static analysis.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhg-nRbHD3s8QyJnRJy-2fwiovyirFrBHdfb2p0wtz9MQ0QOXGh6sNe2A9xsBCBR_96hInn90YMEO8QPQEOj_FJUQ4TJbkdVf7ryi3qYGHxP5pmSejUEogFQ8K508TyNw3gyw6INuFl3iYIDZ7uKNsuXBnQLjE_8UKd8mOC-VGyK7fh1vZwVx5mIHU1AFw\/s1600\/Screenshot%25202026-07-03%2520191451%2520%25281%2529.webp?ssl=1\" alt='After capturing the password, the stealer displays a fake \"Maccy is damaged\" alert to deceive the user ( source :Jamf Threat Labs)'><figcaption class=\"wp-element-caption\">After capturing the password, the stealer displays a fake \u201cMaccy is damaged\u201d alert to deceive the user (source: Jamf Threat Labs)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">One of the most notable features of PamStealer is its password harvesting technique. The malware displays a fake system prompt asking the user to enter their password.<\/p>\n<p class=\"wp-block-paragraph\">\u00a0It then validates the password locally using macOS <a href=\"https:\/\/cybersecuritynews.com\/china-nexus-hackers-use-backdoored-pam-modules\/\" target=\"_blank\" rel=\"noreferrer noopener\">Pluggable Authentication Modules (PAM)<\/a>, ensuring only correct credentials are captured. This method avoids suspicious system calls and reduces the number of detection opportunities.<\/p>\n<p class=\"wp-block-paragraph\">Clipboard data is continuously monitored using the built-in pbpaste utility. The malware repeatedly collects clipboard contents at irregular intervals, potentially capturing sensitive information such as passwords, tokens, or cryptocurrency addresses.<\/p>\n<p class=\"wp-block-paragraph\">For persistence, PamStealer registers itself as a login item using both modern and legacy macOS APIs. It also drops a helper binary disguised as \u201cSystem Settings\u201d to reinforce persistence mechanisms.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhaaAB86JwNUB6J9mQpCZK4bssqnNh9tqwY04adTe-9kkmoQLNJMiY3h53arvW8aLecnzgYrHsEMr1HLG7cFaXtPHSoiz26wj1nb10r0pg1-XQq85E9VFzHh79sUHWPd74cEqDnp-OLdCdSd6xLZEpihNpD6iq7eI74BmkkQq6MFYVIckh__jIsg8Jn18M\/s1600\/Screenshot%25202026-07-03%2520191440%2520%25281%2529.webp?ssl=1\" alt=\"The stealer gains Full Disk Access to read protected data ( source :Jamf Threat Labs)\"><figcaption class=\"wp-element-caption\">The stealer gains Full Disk Access to read protected data ( source: Jamf Threat Labs)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Additionally, it attempts to trick users into granting <a href=\"https:\/\/cybersecuritynews.com\/cybercriminals-shift-from-fake-login-pages\/\" target=\"_blank\" rel=\"noreferrer noopener\">Full Disk Access via fake system alerts<\/a>, thereby increasing its ability to access sensitive files.<\/p>\n<p class=\"wp-block-paragraph\">The malware communicates with its command-and-control server at avenger-sync[.]live, sending encrypted data using ChaCha20-Poly1305 within JSON requests.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.jamf.com\/blog\/pamstealer-macos-infostealer-applescript-rust\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Jamf Threat Labs observed<\/a> connections to public Ethereum RPC endpoints, suggesting the malware may use blockchain infrastructure for resilient command-and-control or payload retrieval.<\/p>\n<p class=\"wp-block-paragraph\">Several indicators of compromise (IOCs) have been identified, including suspicious domains such as api. sync-master[.]online and avngr. netlify[.]app, along with file paths mimicking macOS system directories like ~\/Library\/Application Support\/com.apple.finder.core\/.<\/p>\n<p class=\"wp-block-paragraph\">PamStealer highlights the evolving sophistication of macOS threats. By combining native APIs, Rust-based payloads, and advanced social engineering, attackers are creating quieter, more effective malware that is harder to detect with traditional methods.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/pamstealer-mimic-as-maccy-harvest\/\">PamStealer Mimics Maccy Clipboard Manager Silently Harvests Data and Clipboard Contents<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/pamstealer-mimic-as-maccy-harvest\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PamStealer Mimics Maccy Clipboard Manager Silently Harvests Data and Clipboard Contents PamStealer is a newly identified macOS infostealer that disguises itself as the popular open-source clipboard manager \u201cMaccy\u201d while silently harvesting sensitive user data. Discovered by Jamf Threat Labs, the malware uses a stealthy two-stage infection chain designed to evade detection and blend into normal [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,510],"tags":[130],"class_list":["post-14079","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-macos","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14079"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14079"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14079\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}