Updated
Updated · appleworld.today · Jul 2
PamStealer Targets macOS With 2-Stage Rust Infostealer as It Delays Prompts by 40 Minutes
Updated
Updated · appleworld.today · Jul 2

PamStealer Targets macOS With 2-Stage Rust Infostealer as It Delays Prompts by 40 Minutes

2 articles · Updated · appleworld.today · Jul 2

Summary

  • Jamf Threat Labs said PamStealer masquerades as the Maccy clipboard manager and silently steals data, clipboard contents and passwords from macOS systems.
  • The malware uses a two-stage chain: a clickable .scpt lure and self-contained JXA dropper, followed by a Rust-based payload that validates credentials locally through PAM before exfiltrating them.
  • That second stage tries to stay hidden by posing as Finder, encrypting command-and-control traffic and delaying a Full Disk Access prompt for up to 40 minutes so activity does not align with launch.
  • Jamf said the campaign reflects a broader shift in macOS stealers toward quieter execution chains and native implementations that reduce traditional detection opportunities.
  • The attack still depends on users downloading software from unknown sources and approving multiple prompts, making trusted developers and verified website addresses the main defenses.

Insights

How is advanced malware turning Apple's own trusted applications into security backdoors?
Why are state-sponsored hackers in 2026 suddenly so interested in your Mac's login password?