hacker-news · Crawled Jul 5, 2026

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

3 IoCs
Read original article ↗

AI Summary

PamStealer is a new macOS information stealer distributed via fake Maccy websites, impersonating a legitimate clipboard manager. It uses a two-stage infection chain, starting with a malicious AppleScript dropper that downloads a Rust-based payload. The malware validates the victim's login password using macOS PAM, establishes persistence, and steals credentials, browser data, cryptocurrency wallets, and iCloud Keychain contents before exfiltrating them to attacker-controlled servers.

AI-extracted · verify before operational use

Indicators of Compromise 3 extracted

Type Value Detail
Domain maccyapp[.]com Details →
Domain avenger-sync[.]live Details →
Domain maccyapp[.]net Details →