{"id":9908,"date":"2026-07-05T20:36:11","date_gmt":"2026-07-05T18:36:11","guid":{"rendered":"https:\/\/www.mixtv1.com\/index.php\/2026\/07\/05\/fake-mac-clipboard-app-delivers-new-password-stealing-malware\/"},"modified":"2026-07-05T20:36:57","modified_gmt":"2026-07-05T18:36:57","slug":"beware-fake-mac-clipboard-app-caught-stealing-passwords","status":"publish","type":"post","link":"https:\/\/www.mixtv1.com\/index.php\/2026\/07\/05\/beware-fake-mac-clipboard-app-caught-stealing-passwords\/","title":{"rendered":"Beware: Fake Mac Clipboard App Caught Stealing Passwords"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_9908\" class=\"pvc_stats total_only  \" data-element-id=\"9908\" style=\"\"><i class=\"pvc-stats-icon large\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/www.mixtv1.com\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<h3>New Threats Targeting macOS: The Rise of PamStealer and Sophisticated Social Engineering<\/h3>\n<p>Cybersecurity researchers at Jamf Threat Labs have uncovered a sophisticated new threat targeting Apple users: a Rust-based infostealer dubbed &#8220;PamStealer.&#8221; This malicious software masquerades as the popular open-source clipboard manager, Maccy, and is designed to harvest sensitive data, including login credentials and cryptocurrency wallet keys.<\/p>\n<h4>How PamStealer Operates<\/h4>\n<p>\nThe infection vector relies on a deceptive website that mimics the legitimate Maccy download page. Once a user downloads the disk image, they are prompted to execute a malicious AppleScript file. To evade detection, the script hides its true intent by instructing users to run the code within Apple\u2019s native Script Editor.<\/p>\n<p>The malware earns its name from its unique authentication mechanism. Before exfiltrating data, it utilizes the macOS Pluggable Authentication Modules (PAM) to verify the victim\u2019s password. By confirming the password is correct, the attackers ensure they are harvesting valid credentials. <\/p>\n<p>Key technical features of this campaign include:<br \/>\n*   <strong>Stealthy Execution:<\/strong> The malware utilizes JavaScript for Automation and native macOS APIs, bypassing common shell utilities like <code>curl<\/code> or <code>zsh<\/code> to remain invisible to standard security monitoring tools.<br \/>\n*   <strong>Environment-Specific Encryption:<\/strong> The payload is not stored in plain text. Instead, the dropper generates a unique decryption key based on the host\u2019s specific hardware fingerprint-including CPU architecture, time zone, and keyboard layout-ensuring the malware only executes on the intended target.<br \/>\n*   <strong>Persistence and Exfiltration:<\/strong> Once active, the binary disguises itself as a system process like &#8220;Finder&#8221; or &#8220;Software Update,&#8221; allowing it to monitor the clipboard, scrape Keychain data, and transmit stolen information to a remote command-and-control (C2) server.<\/p>\n<h4>The &#8220;Delayed Prompt&#8221; Strategy<\/h4>\n<p>\nA particularly concerning aspect of this malware is its use of social engineering to gain elevated privileges. Roughly 40 minutes after the initial infection, the malware triggers a fake system alert requesting &#8220;Full Disk Access.&#8221; By delaying this request, the attackers hope the user will have forgotten the initial download, making them more likely to grant the permissions. If successful, this grants the attacker access to highly sensitive areas, including Mail, Messages, and Time Machine backups.<\/p>\n<h4>The Evolution of Malicious Advertising<\/h4>\n<p>\nThe threat landscape is shifting toward the abuse of trusted advertising platforms. Jamf Threat Labs recently identified a campaign on X (formerly Twitter) involving a sponsored ad for &#8220;DynamicLake.&#8221; This ad directed users to a malicious site that instructed them to run commands in the Terminal. <\/p>\n<p>&#8220;We are seeing attackers move beyond traditional phishing,&#8221; noted Jaron Bradley, Director of Jamf Threat Labs. &#8220;By purchasing<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_9908\" class=\"pvc_stats total_only  \" data-element-id=\"9908\" style=\"\"><i class=\"pvc-stats-icon large\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/www.mixtv1.com\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>In brief Jamf Threat Labs identified a new Rust-based macOS infostealer posing as the Maccy clipboard manager. The malware validates victims&#8217; passwords through macOS PAM before stealing them. Researchers also spotted ClickFix-style malware delivered through a sponsored advertisement on X. Mac users searching for the open-source clipboard manager Maccy are being targeted by a fake<\/p>\n","protected":false},"author":55,"featured_media":9909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ai_generated_summary":"","wpai_meta_description":"","footnotes":""},"categories":[5],"tags":[36,501],"class_list":["post-9908","post","type-post","status-publish","format-standard","has-post-thumbnail","category-crypto","tag-mixtv","tag-technology"],"a3_pvc":{"activated":true,"total_views":3,"today_views":3},"_links":{"self":[{"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/posts\/9908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/comments?post=9908"}],"version-history":[{"count":1,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/posts\/9908\/revisions"}],"predecessor-version":[{"id":9914,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/posts\/9908\/revisions\/9914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/media\/9909"}],"wp:attachment":[{"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/media?parent=9908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/categories?post=9908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mixtv1.com\/index.php\/wp-json\/wp\/v2\/tags?post=9908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}