New macOS Malware Aims to Empty Cryptocurrency Wallets
- Apple users who store or manage cryptocurrencies are facing a new cybersecurity threat. Researchers from Jamf Threat Labs, the cybersecurity research team, have discovered a campaign distributing a fake version of the open-source application Maccy, aimed at installing PamStealer, malware designed to steal passwords, credentials, and keys from cryptocurrency wallets.
According to the firm's report, attackers use a website that mimics the official Maccy site, a free clipboard manager for macOS, to convince victims to download a malicious disk image. When the file is opened, it displays instructions to run it from the Apple Script Editor while keeping the malicious code hidden that initiates the infection.
Once on the system, the malware verifies the user's login password using the Pluggable Authentication Modules (PAM) of macOS. It then downloads a second payload developed using native tools of the operating system, a technique that reduces the chances of being detected by security programs.
The malware also generates a key based on device information, such as processor architecture, regional settings, keyboard layout, and time zone. This key unlocks an encrypted configuration containing the necessary instructions to continue the attack.
If the infection is successful, the malware can steal passwords stored in browsers, data from the macOS keychain, information copied to the clipboard, and credentials related to cryptocurrency wallets. Additionally, it establishes persistence on the machine and sends the stolen data to a remote server via encrypted communications.
As part of the attack, the program also displays a fake window to a file explorer requesting full disk access. Notably, this prompt can appear up to 40 minutes after installation, making it difficult for the user to associate the request with the initial download. If permission is granted, the malware gains access to protected information, including emails, messages, and Time Machine backups.
The firm explained that this type of campaign primarily relies on social engineering. According to Jaron Bradley, director of Jamf Threat Labs, cybercriminals purchase ads on platforms like Google Ads and X to direct users to fake pages that appear to offer legitimate applications. The company added that it recently detected another sponsored ad on X distributing a variant of the Atomic Stealer malware through a verified account, increasing the credibility of the deception.
Although the company stated that it has not yet found evidence of PamStealer being actively used, it has already notified Apple of its findings. So far, the company has not issued any public comments on the case.
Researchers conclude that this campaign reflects a growing trend among cybercriminals: disguising malware as legitimate software and leveraging trusted platforms to distribute it. A report from the research firm TRM Labs indicated that in 2026 there was an increase in the number of attacks, with total losses of USD 972 million, as reported by CriptoNoticias.
For cryptocurrency users, these threats pose a significant risk, as the theft of credentials or wallet keys can lead to irreversible loss of digital funds.
Disclaimer: This content is provided for general branding and informational purposes only and doesn't constitute financial, investment, legal, or tax advice. Any events, rewards, online events, or related information mentioned herein should not be considered a recommendation, solicitation, or invitation to purchase, sell, trade, or otherwise deal in any crypto assets or to use any services. Crypto assets are highly volatile and may result in loss. WEEX services and online events may not be available in all regions and are subject to applicable laws, regulations, and eligibility requirements. You are responsible for ensuring that your use of WEEX services complies with local laws and for carefully assessing the risks before participating in any crypto-related activities.
You may also like

What is SCEX? The Cryptocurrency Exchange for Vietnam's Market by Sacombank

Major Update for ChatGPT: Cross-Platform Functionality, One-Click Website Creation, and Lower Costs

BTC Challenges 64,000 After Breaking 63,000, Market Trading 'Manageable Risks'

As the Bubble Bursts, Who Dominates Attention in the AI Era? A 2026 Guide to Influential AI KOLs in China and the UK

Old Money in Crypto Shifts: Paradigm Raises $1.2 Billion, Half Bet on AI and Robotics

Bitdeer unveils $36M Nevada factory to shake up Bitcoin mining

Perplexity Fine-Tuned a Chinese AI Model to Match Claude Opus 4.8 at One-Third the Cost

Bank of Korea defends bank-first stablecoin plan amid bill deadlock

JPMorgan says bitcoin's main risk isn't Strategy, but blockchain adoption that doesn't benefit public chains and tokens

Fear & Greed Index Today: What Extreme Fear Means for Crypto, Stocks and Gold

Labour MPs Push to Make UK Crypto Donation Ban Permanent

Supreme Court ruling expanding Trump's authority over federal agencies raises questions for SEC, CFTC as crypto rulemaking advances

'Bottom building in progress': Analysts say bitcoin holder capitulation signals late-stage bear market

A Comprehensive Analysis: Starting from 1996, Who is Laying the Foundation for the Next Generation of Capital Markets

Luke Dashjr, the Biggest Anti-Spammer of Bitcoin, Inscribed Phrases on the Network in 2011

Whales bought 270,000 BTC while ETFs bled $7 billion. One side is wrong

The crypto IPO class of 2025-26 is down as much as 89%. Autopsy of a listing boom

Robinhood Chain Mining Guide: A Comprehensive Tutorial from Cross-Chain to Memecoin

BitGo CEO says single-digit percentages of bitcoin's supply are 'probably right' for large holders amid Strategy's sale

Beyond Private Keys: How to Safeguard the Security Boundaries of Web3 from Wallets, L2 to Supply Chains?

Vanguard Enters the Market, Opening a New Crypto Gateway for 50 Million Traditional Investors

Why the OUSD Alliance of 150 Companies Still Cannot Shake USDT and USDC?

Citigroup Analysis: Is There Still 47% Upside for Nvidia? Can Rubin and CPO Deliver?
WEEX API Fast Connect: Turn Every Sign-In Into a Live Trader in Under 10 Seconds
WEEX API Fast Connect is a one-click OAuth authorization system that lets your users link their WEEX account without ever touching an API key. Frictionless onboarding, faster conversions, higher retention — built for WEEX Broker partners.

Bitcoin's dwindling exchange reserves don't pack the same bullish punch anymore

From Le Mans to the Rollercoaster: Carl Moon Takes On Portimão
Crypto world renowned KOL and racing driver Carl Moon, backed by WEEX, heads to the Ferrari Challenge Portugal round at the Algarve International Circuit, July 16–19, fresh off a podium finish at Le Mans. Here's why this race is one to watch.
Fast execution. Split-second accuracy. Security that never blinks. That's WEEX — and that's exactly how Carl races.

The Downfall of a Public Company: A $1.46 Billion Bet on WLFI, $540 Million Went to the Trump Family

Dragonfly Partner: BTC is Intergenerational Wealth, Optimistic About ETH and SOL

Goldman Sachs Calls to Go Long on Chinese AI: $4 Trillion Market Value Behind, Global Funds Only Allocated 1.2%













