Cybersecurity researchers at Jamf Threat Labs have identified a new Rust-based macOS information stealer that specifically targets Apple Silicon systems by disguising itself as the popular open-source clipboard manager, Maccy.
The malware, dubbed PamStealer, uses fraudulent websites mimicking the official Maccy project to distribute its payload. Once a user downloads and executes the malicious file, the stealer establishes a persistent presence on the compromised system before beginning data collection.
Widespread Data Theft
PamStealer casts a wide net when harvesting sensitive information. The malware is capable of stealing browser data, cryptocurrency wallet contents, Keychain credentials, and clipboard data—giving attackers access to a broad range of sensitive materials beyond simple login information.
The threat also earns its name through its abuse of macOS's Pluggable Authentication Modules (PAM), the system framework responsible for user login verification. By leveraging this mechanism, the malware can directly siphon login passwords from infected devices.
Persistence and Detection
Once installed, PamStealer maintains a persistent foothold on the target system, ensuring continued access to stolen data and ongoing surveillance of user activity. The combination of PAM abuse and data theft capabilities makes this a particularly concerning threat for Apple Silicon users.
Security teams managing Mac fleets are advised to ensure endpoint protection solutions are updated to detect indicators of compromise identified in the researchers' analysis. Users should only download Maccy from verified sources such as the official GitHub repository.
Jamf Threat Labs 的網絡安全研究人員發現了一款新的基於 Rust 的 macOS 資訊竊取惡意軟件,該軟件特別針對 Apple Silicon 系統,並偽裝成流行的開源剪貼簿管理器 Maccy。
這款被命名為 PamStealer 的惡意軟件,利用仿冒官方 Maccy 項目的欺詐網站來散佈其惡意載荷。一旦用戶下載並執行該惡意檔案,竊取程序便會在入侵系統上建立持續存在狀態,然後開始收集數據。
大規模數據竊取
PamStealer 在收割敏感資訊時撒下了一張大網。該惡意軟件能夠竊取瀏覽器數據、加密貨幣錢包內容、鑰匙圈憑證以及剪貼簿數據——使攻擊者能接觸到遠超簡單登入資訊的廣泛敏感資料。
該威脅亦因其濫用 macOS 的可插拔認證模組(PAM)而得名,PAM 是負責用戶登入驗證的系統框架。透過利用此機制,惡意軟件可以直接從受感染的裝置中竊取登入密碼。
持續存在與偵測
一旦安裝,PamStealer 會在目標系統上維持一個持續存在點,確保對被竊數據的持續訪問及對用戶活動的持續監控。PAM 濫用與數據竊取能力的結合,使得這對 Apple Silicon 用戶成為一個特別令人擔憂的威脅。
管理 Mac 設備群組的安全團隊應確保端點保護解決方案已更新,以偵測研究人員分析中識別的入侵指標。用戶只應從官方 GitHub 儲存庫等已核實的來源下載 Maccy。
