How to remove PamStealer malware (Mac)

Mac Virus

Also Known As: PamStealer virus

Damage level:

Get free scan and check if your device is infected.

Remove it now

To use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

What kind of malware is PamStealer?

PamStealer is a two-stage information stealer that targets macOS users. According to research published by Jamf Threat Labs, the malware disguises itself as Maccy, a real open-source clipboard manager, to trick victims into running it themselves.

The first stage is a compiled AppleScript that downloads a second, Rust-based payload. If PamStealer is found on a Mac, it should be removed right away.

Fake website used to distribute PamStealer malware

PamStealer overview

Jamf researchers found that PamStealer arrives inside a disk image containing a file named Maccy.scpt. Victims are told to open this file in Script Editor and press ⌘+R to "get started," which actually runs the malicious script.

Once running, the first stage profiles the Mac by checking its CPU architecture, language, keyboard layout, and time zone. If the device appears to be located in Russia, Belarus, Kazakhstan, or nearby countries, the malware simply stops running.

The script also checks for debugging tools and System Integrity Protection before downloading the second stage, a Mach-O executable written in Rust. This stage carries an ad hoc code signature and is hidden inside a fake system folder made to resemble Finder or a Software Update component.

What data does PamStealer steal?

PamStealer is built to steal a wide range of sensitive information. It reads login credentials directly through macOS's PAM system, without needing to open a visible Terminal window.

The malware also opens browser credential databases with SQLite to grab saved passwords, cookies, and data belonging to cryptocurrency wallet extensions. It repeatedly runs the pbpaste command to monitor and copy whatever is placed on the clipboard.

In addition, PamStealer loads Apple's Security framework at runtime to pull data from the Keychain, macOS's built-in password manager. If the victim later grants Full Disk Access, the malware can reach protected files elsewhere on the system as well.

How does PamStealer avoid detection?

The malware relies on a delayed permission request. Rather than asking for Full Disk Access right away, it can wait up to 40 minutes before showing the prompt, which makes it harder to connect the request back to the original download.

PamStealer also displays a fake Gatekeeper-style error message as a decoy, and it disguises its authorization prompts using a native macOS alert window so they look like a normal system request rather than one coming from unknown software.

According to Jamf, the fake website even used Greek and Cyrillic look-alike characters, a technique known as a homoglyph attack, in parts of its content to slip past automated text-based scanners.

Persistence and communication with attackers

To stay installed after a reboot, PamStealer registers itself as a login item twice, once through Apple's modern ServiceManagement API and once through an older, legacy interface bundled inside a helper executable.

Stolen data is sent to a remote server at avenger-sync[.]live, routed through Cloudflare and encrypted with ChaCha20-Poly1305. The malware's configuration also lists Ethereum network endpoints, pointing to an interest in cryptocurrency theft.

Threat Summary:
Name PamStealer virus
Threat Type Mac malware, Mac virus, stealer, password-stealing virus.
Symptoms Stealers are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Detection Names Combo Cleaner (Trojan.GenericKD.80674484), ESET-NOD32 (OSX/PSW.Agent.IY Trojan), Emsisoft (Trojan.GenericKD.80674484 (B)), Symantec (OSX.Trojan.Gen), Full List Of Detections (VirusTotal)
Possible distribution methods Fake websites impersonating legitimate software, disguised disk image (DMG) files, social engineering.
Damage Stolen passwords and banking information, identity theft, stolen cryptocurrency, financial loss, possible additional infections.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.

Download Combo Cleaner

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Conclusion

PamStealer is malware that can quietly harvest passwords, Keychain data, browser and cryptocurrency wallet information, and clipboard content from an infected Mac. Because it hides behind a fake copy of a real app and delays its most suspicious requests, victims may not notice anything wrong until their accounts or funds are already compromised.

Some examples of information stealers are ShadeStager, Infiniti, and Miolab.

How did PamStealer infiltrate my device?

PamStealer spreads through a fake website, maccyapp[.]com, made to look like the download page for Maccy, a legitimate and popular clipboard manager for Mac. The real Maccy project is only distributed from maccy.app, and its official site even warns visitors about copycat pages.

Victims who download the fake disk image are told to open a file named Maccy.scpt in Script Editor and press ⌘+R to "get started." That step is what actually runs the malicious script and starts the infection instead of installing the real app.

Beyond this specific campaign, Mac malware is often spread the same way: bogus download pages, malicious ads, cracked software, fake browser or system updates, and disguised attachments in phishing emails and messages.

How to avoid malware?

Only download software from the developer's official website or the Mac App Store, and double check the domain before trusting a download page, especially for smaller, lesser-known utilities.

Be wary of any installer that asks you to open and manually run a script through Script Editor or Terminal. Legitimate Mac apps do not need this kind of manual step to "get started."

If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.

The fake website (maccyapp[.]com) distributing PamStealer, imitating the real Maccy download page:

Fake maccyapp.com website distributing PamStealer malware

Deceptive instructions shown to trick victims into manually running the malicious script:

Fake step-by-step instructions used to launch PamStealer

The genuine Maccy website (maccy.app) warning visitors about copycat pages:

Official Maccy website warning about fake websites

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

Unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Manual removal of malicious Mac applications

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

DOWNLOAD remover for malware infections

Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Frequently Asked Questions (FAQ)

My device is infected with PamStealer malware, should I format my storage device to get rid of it?

This will fully remove PamStealer, but it will also erase everything stored on the device. Before taking such a drastic step, it is generally recommended to try a reliable anti-malware tool like Combo Cleaner first.

What are the biggest issues that malware can cause?

PamStealer extracts and exfiltrates data from infected devices, including passwords, Keychain entries, browser data, and clipboard content. Infections of this kind can lead to account hijacking, stolen cryptocurrency, identity theft, and other financial losses.

What is the purpose of PamStealer malware?

The purpose of PamStealer is to steal sensitive data from infected macOS devices, including login credentials, Keychain passwords, browser and cryptocurrency wallet data, and anything copied to the clipboard.

How did PamStealer malware infiltrate my computer?

PamStealer is distributed through a fake website that imitates the real Maccy clipboard manager. Victims are guided to open a disguised script in Script Editor and run it manually, which silently installs the malware in the background.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove most known malware infections. Keep in mind that running a complete system scan is essential, since sophisticated malware like PamStealer typically hides deep within the system.

Share:

facebook
X (Twitter)
linkedin
copy link
Tomas Meskauskas

Tomas Meskauskas

Expert security researcher, professional malware analyst

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate