The Fake Clipboard Trap: A macOS Stealer That Checks Passwords on the Machine It Just Infected
A disguised Mac utility, a two-stage payload, and local password validation through PAM reveal a stealthier playbook for credential theft.
On macOS, a familiar productivity app can be enough to open the door. In this case, the lure was a counterfeit version of Maccy, a clipboard manager that many users would see as harmless software. Once launched, the package unfolded into a credential-stealing chain designed not just to grab data, but to make the theft feel like a normal login step.
Fast Facts
- PamStealer is a macOS infostealer described as masquerading as Maccy, an open-source clipboard manager.
- The malware uses a two-stage chain, with a compiled AppleScript dropper leading to a Rust payload.
- Observed collection targets include credentials, browser data, and clipboard contents.
- The sample uses macOS Pluggable Authentication Modules, or PAM, to validate stolen passwords locally.
- Maccy’s own repository warns users about fake sites impersonating the project name.
What Makes This Sample Interesting
Clipboard managers are attractive bait because they sit close to the material users copy and paste every day. That can include passwords, session tokens, recovery codes, and other fragments that should never land in the wrong hands. A fake version of a utility like Maccy does not need exotic exploits if it can simply convince a user to run it.
The technical shape matters here. The first stage was described as a compiled AppleScript dropper packaged in a disk image. The second stage was a stripped arm64 Mach-O binary written in Rust. That combination points to a native macOS execution path rather than a simple script-only grab, which can make a sample harder to spot during casual inspection.
The most distinctive behavior is the password check. Instead of sending stolen credentials straight to a remote verifier, the malware uses PAM on the local machine to validate passwords. PAM is the authentication layer many Unix-like systems use to hand login decisions to local modules and policy chains. From a defender’s perspective, that means a password prompt can look normal while the malware quietly confirms whether the captured secret is worth keeping.
This is not just a theft story. It is a trust story. The fake utility, the native scripting, and the local authentication check together show how commodity-looking malware can borrow the shape of legitimate software. That makes download hygiene, code-signing checks, and software provenance reviews more important than ever for macOS users and administrators.
The available information supports a risk analysis, not a definitive judgment about every possible infection path or downstream effect. What it does establish is that the sample was built to reduce noise while collecting high-value data from the host itself.
Conclusion
PamStealer is a reminder that modern credential theft does not always start with a loud exploit. Sometimes it begins with a trusted-looking app, a familiar prompt, and a local validation step that makes stolen passwords easier to sort from useless ones. The broader lesson is simple: on macOS, the safest download is still the one you can verify before you run it.
TECHCROOK
Hardware security key: A small USB/NFC device for two-factor authentication on important accounts. It adds a physical login step that is harder to phish than passwords alone and is widely used with email, password managers, and admin accounts.
WIKICROOK
- Infostealer: Malware built to harvest credentials, browser artifacts, and other sensitive data from an infected device.
- PAM: Pluggable Authentication Modules, a framework that lets local software ask the operating system to verify credentials.
- Mach-O: The executable file format used by macOS for native binaries and apps.
- AppleScript: A macOS automation language that can control apps and system actions.
- Disk image (DMG): A packaged macOS file container often used to distribute apps and installers.




