Press play to start listening
Mac users searching for a clipboard manager are being redirected to a fake version of Maccy, an open-source app, in a campaign that installs a Rust-based infostealer called PamStealer.
Jamf Threat Labs reported that the malware is served from maccyapp(.)com, a lookalike domain made to impersonate the legitimate Maccy project.
Researchers named the malware PamStealer because it checks a victim’s login password via macOS Pluggable Authentication Modules (PAM) before retaining it.
AppleScript Starts the Infection Chain
The attack starts with a disk image containing a compiled AppleScript file named Maccy.scpt. When opened, the file shows branded instructions that tell the user to run the script in Script Editor, while the malicious logic sits far below the visible text after a long blank section.
Jamf also found Greek and Cyrillic lookalike characters in the word “Maccy,” a small trick meant to defeat simple text matching.
Once the user runs the script, the first stage acts as a downloader for the real payload. Jamf said the dropper uses JavaScript for Automation with native Objective-C APIs, including NSURLSession, to retrieve and stage the second stage, avoiding the more visible use of curl, zsh or osascript that many macOS downloaders use.
Before that download proceeds, the script checks the machine it is running on. The dropper builds a key from host details such as CPU architecture, locale, keyboard layout, and time zone, then uses that key to unlock its encrypted configuration. Jamf said the files it reviewed were keyed to Apple silicon, and the configuration would not unlock on Intel Macs.
According to Jamf Threat Labs’ report shared with Hackread.com, malware authors have also added regional checks into the first stage. The malware checks time zones, locale data, and keyboard input sources linked to Russia, Belarus, Kazakhstan, and several nearby countries, with any match stopping the configuration from opening. Jamf said the same checks appear again in the second stage, linking the dropper and infostealer to the same operator.
Rust Payload Hides as a macOS Component
After installation, the payload hides inside an application bundle that looks like a built-in macOS component. Jamf observed variants using names such as Finder.app and Software Update.app, with Apple-style bundle identifiers and the genuine Finder icon copied in. The dropper ad hoc signs the bundle, launches it without a visible window or Dock item, and leaves a .Maccy file nearby as an infection flag.
After the fake Finder launches, the Rust-based Mach-O stealer begins collecting data. Jamf said it can read browser-related SQLite databases, load Security.framework at runtime for keychain access, read the clipboard by repeatedly launching the built-in pbpaste utility, and send data to a command and control endpoint. The traffic is wrapped in JSON and encrypted with ChaCha20 Poly1305.

Password Prompt and Decoy Error Message
It is also worth noting that the malware’s password prompt is designed to look familiar to a Mac user. It shows a native looking dialog claiming that “Maccy wants to make changes” and asks for the account password. If the user types the wrong password, PamStealer checks it through PAM and asks again, moving forward only after a valid password is entered.
A second fake alert helps the operator close the loop. After the password has been accepted and the payload has already run, the malware shows a message saying the Maccy app is damaged and should be moved to Trash. That message is a decoy, giving the user a simple explanation for why the app did not open normally.
Full Disk Access Push and Login Item Persistence
The malware also tries to talk users into granting Full Disk Access. In Jamf’s testing, a fake alert appeared after a delay that could reach about 40 minutes, claiming that Finder had lost access to protected data and offering to open System Settings. If the user approves the fake Finder entry in the Full Disk Access pane, the stealer can read protected app data, including Mail, Messages, and Time Machine backups.
To survive restarts, PamStealer registers its fake Finder bundle as a login item in two ways. The Rust stealer uses Apple’s modern ServiceManagement API, and it also drops a small helper program in /private/tmp/System Settings to add the same bundle through the legacy login items interface.
Network activity also leaves a useful clue for incident response. Jamf found the second stage using avenger-sync(.)live/api/sync for command and control, with cache records stored under ~/Library/Caches/com.apple.finder.core/. The cache kept request and response metadata, while the message bodies remained encrypted.
What Mac Users and Admins Should Check
Anyone installing Maccy should get it from the real project page or trusted package sources, not a search result or lookalike domain. A clipboard manager delivered as a .scpt file that asks to be run in Script Editor should be treated as suspicious, and password prompts from newly downloaded apps deserve extra scrutiny.
If your company used Macs, the attack leaves several signs that can help spot an infected machine. These include Script Editor triggering code signing for an app stored inside Application Support, a process named Finder running from a folder where normal users can save files, repeated use of the macOS pbpaste tool by that fake Finder process, and new login items using a copied Apple system icon.
