IOC Radar
TLP:WHITE3 IOCs

PamStealer macOS Infostealer Uses Rust Payload to Validate and Steal Passwords

CP
Cyber Press
Published July 3, 2026Original Report

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTUREmaccyapp.comhttps://avenger-sync.…ethereum-rpc.publicno…CAPABILITYunknownVICTIMunknown
Adversary
Infrastructure(3)
Capability
Victim

Attack Flow10 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1566
1/10
Phishing
ActionDeliver malicious disk image
The malware is distributed via a disk image containing a malicious AppleScript file named Maccy.scpt, hosted on a typosquatting domain.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise3

TypeIndicatorConfidenceScoreFirst Seen
Domainmaccyapp.com
exploitintel-blogmalware
High
69
Jun 3, 26
URLhttps://avenger-sync.live/api/sync
c2exfiltrationintel-blog
High
58
Jul 3, 26
Domainethereum-rpc.publicnode.com
indicatorintel-blognetwork
High
58
Jul 3, 26

IOC Relationship Graph

IOC Relationship Graph3 total IOCs
DomainURL
Domain2URL1REPORTPamStealer macOS Infosteal
scroll to zoom · drag to pan · click IOC to open