Jamf Threat Labs found a new macOS infostealer, PamStealer, that impersonates Maccy, a popular open-source clipboard manager, through a fake website. Victims download what looks like a Maccy installer but is a malicious AppleScript that quietly fetches a Rust-based stealer. Its standout trick is how it grabs the login password: it shows a native-looking prompt saying "Maccy wants to make changes" and validates whatever the user types against macOS's own Pluggable Authentication Modules, so it only keeps a confirmed-correct password and avoids the noisy process calls other stealers make. The second stage hides as Finder, encrypts its traffic, and delays its Full Disk Access request to avoid suspicion.
Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.
Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.