Back to Intelligence

PamStealer macOS Malware: Detecting Fake Maccy Apps and PAM Attacks

SA
Security Arsenal Team
July 3, 2026
5 min read

Security operations teams must be on high alert for PamStealer, a newly identified macOS information stealer actively targeting Apple endpoints. Discovered by Jamf Threat Labs, this malware poses a significant threat to credential security by masquerading as Maccy, a legitimate open-source clipboard manager.

Unlike traditional macOS malware relying on complex binaries, PamStealer is distributed as a compiled AppleScript (.scpt). Its primary objective is to exfiltrate Mac login passwords, likely by manipulating or interrogating Pluggable Authentication Modules (PAM) and the system keychain. The use of a trojanized open-source tool creates a false sense of legitimacy, increasing the success rate of initial infection vectors. Defenders need to understand the TTPs of this script-based threat to prevent widespread credential compromise.

Technical Analysis

Affected Platform: macOS (All recent versions supporting AppleScript).

Distribution Vector: The threat actors are distributing the malware via fake websites impersonating the legitimate Maccy project. Users are tricked into downloading a compiled AppleScript file (.scpt) instead of the actual application bundle.

Attack Chain and Mechanics:

  1. Initial Execution: The user executes the malicious .scpt file. On macOS, this action launches the osascript interpreter or executes the script directly if associated with Script Editor.
  2. Obfuscation & Logic: As a compiled AppleScript, the internal logic is obscured from casual inspection. The script likely contains do shell script commands to perform heavy lifting.
  3. Credential Theft (PAM Checks): The moniker "PamStealer" suggests interaction with PAM or the underlying authentication databases. On macOS, this typically involves abusing the security command-line utility to dump the System Keychain or utilizing dscl to interact with directory services, effectively bypassing or extracting login credentials.
  4. Exfiltration: Once the credentials are harvested, the script prepares them for exfiltration to a C2 server.

Exploitation Status: Confirmed active in-the-wild distribution via fake repositories.

Detection & Response

Given the script-based nature of this threat, detection relies heavily on monitoring for abnormal osascript activity and interactions with system security binaries.

SIGMA Rules

YAML
---
title: PamStealer - Suspicious AppleScript Execution
id: 8a4b2c1d-9e6f-4a3b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects the execution of compiled AppleScript files (.scpt) or osascript with arguments indicative of PamStealer activity, specifically mimicking Maccy or performing security dumps.
references:
  - https://attack.mitre.org/techniques/T1059/002
author: Security Arsenal
date: 2026/07/22
tags:
  - attack.execution
  - attack.t1059.002
logsource:
  category: process_creation
  product: macos
detection:
  selection_img:
    Image|endswith:
      - '/osascript'
      - '/Script Editor'
  selection_ext:
    CommandLine|contains:
      - '.scpt'
  selection_mimic:
    CommandLine|contains:
      - 'Maccy'
      - 'clipboard'
  condition: 1 of selection_*
falsepositives:
  - Legitimate administrative use of AppleScript
level: medium
---
title: PamStealer - Credential Dumping via Security Binary
id: 9c5d3e2f-0a7b-5c4d-9e6f-2a3b4c5d6e7f
status: experimental
description: Detects attempts to dump keychain data or interact with PAM/security frameworks using the security command, often spawned by script-based stealers.
references:
  - https://attack.mitre.org/techniques/T1003
author: Security Arsenal
date: 2026/07/22
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith: '/usr/bin/security'
    CommandLine|contains:
      - 'find-generic-password'
      - 'dump-keychain'
      - 'export'
  selection_parent:
    ParentImage|endswith:
      - '/osascript'
      - '/bin/sh'
  condition: selection and selection_parent
falsepositives:
  - Legitimate backup or migration operations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for PamStealer indicators: osascript execution and security binary abuse
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName has "osascript" or ProcessCommandLine has ".scpt") 
      or (FileName == "security" and ProcessCommandLine has_any ("find-generic-password", "dump-keychain"))
| extend ParsingDetails = extract_all(@'(\.scpt|Maccy|security)', ProcessCommandLine)
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, ParsingDetails
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for compiled AppleScripts in user downloads and suspicious process execution
-- Check for .scpt files in standard download directories
SELECT FullPath, Size, Mtime
FROM glob(globs='/Users/*/Downloads/*.scpt')

-- Check for osascript processes interacting with security binaries
SELECT Pid, Name, Exe, Cmdline, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Name = 'osascript'
   OR Name = 'security'
   OR Exe =~ 'Maccy'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# PamStealer Remediation Script
# Action: Kill malicious osascript processes and quarantine potential droppers

echo "[+] Starting PamStealer Remediation..."

# 1. Kill any osascript processes running from user contexts (use with caution in prod)
# In a real scenario, verify PID legitimacy first. This is a containment scorch.
echo "[+] Terminating active osascript sessions..."
PGID=$(pgrep -x "osascript")
if [ ! -z "$PGID" ]; then
    kill -9 "$PGID"
    echo "Terminated PIDs: $PGID"
else
    echo "No osascript processes found."
fi

# 2. Locate and quarantine .scpt files in Downloads
echo "[+] Scanning for suspicious .scpt files in Downloads..."
find /Users/*/Downloads -name "*.scpt" -exec mv {} /tmp/quarantine/ \; 2>/dev/null

if [ $? -eq 0 ]; then
    echo "[!] Suspicious .scpt files moved to /tmp/quarantine/"
else
    mkdir -p /tmp/quarantine
    echo "No .scpt files found or quarantine directory created."
fi

echo "[+] Remediation complete. Please rotate macOS user passwords and check Keychain access logs."

Remediation

  1. Identify and Isolate: Identify endpoints with processes named osascript spawning the security binary. Isolate affected machines from the network immediately to prevent C2 communication.
  2. Remove Malicious Artifacts: Delete the downloaded .scpt file. If a fake "Maccy" app was installed, remove the application bundle from /Applications and check LaunchAgents or LaunchDaemons for persistence mechanisms (though PamStealer is currently script-based, vigilance for persistence is required).
  3. Credential Rotation: Assume all Mac login passwords and Keychain contents stored on the infected machine are compromised. Force a password reset for the local user account and review/rotate sensitive credentials stored in the System Keychain.
  4. Software Restriction: Implement policies (e.g., via Jamf or MDM) to block the execution of unsigned .scpt files or restrict osascript execution to specific administrative users only.
  5. Vendor Advisory: Review the official analysis from Jamf Threat Labs for specific IOCs (hashes, domain names) associated with the fake Maccy distribution sites and block these domains at the perimeter.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionpamstealermacosinfo-stealermaccyjamf-threat-labs

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

PamStealer macOS Malware: Detecting Fake Maccy Apps and PAM Attacks | Security Arsenal | Security Arsenal