home.social

#chacha20 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #chacha20, aggregated by home.social.

  1. PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

    PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

    Pulse ID: 6a471de6cf9848f2ef9503c0
    Pulse Link: otx.alienvault.com/pulse/6a471
    Pulse Author: AlienVault
    Created: 2026-07-03 02:26:46

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #Endpoint #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #OTX #OpenThreatExchange #RAT #RPC #Rust #SQL #bot #AlienVault

  2. PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

    PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

    Pulse ID: 6a471de6cf9848f2ef9503c0
    Pulse Link: otx.alienvault.com/pulse/6a471
    Pulse Author: AlienVault
    Created: 2026-07-03 02:26:46

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #Endpoint #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #OTX #OpenThreatExchange #RAT #RPC #Rust #SQL #bot #AlienVault

  3. PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

    PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

    Pulse ID: 6a471de6cf9848f2ef9503c0
    Pulse Link: otx.alienvault.com/pulse/6a471
    Pulse Author: AlienVault
    Created: 2026-07-03 02:26:46

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #Endpoint #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #OTX #OpenThreatExchange #RAT #RPC #Rust #SQL #bot #AlienVault

  4. PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

    PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

    Pulse ID: 6a471de6cf9848f2ef9503c0
    Pulse Link: otx.alienvault.com/pulse/6a471
    Pulse Author: AlienVault
    Created: 2026-07-03 02:26:46

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #Endpoint #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #OTX #OpenThreatExchange #RAT #RPC #Rust #SQL #bot #AlienVault

  5. PamStealer: a Rust-based macOS infostealer that validates credentials through PAM

    PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.

    Pulse ID: 6a471de6cf9848f2ef9503c0
    Pulse Link: otx.alienvault.com/pulse/6a471
    Pulse Author: AlienVault
    Created: 2026-07-03 02:26:46

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #Endpoint #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #OTX #OpenThreatExchange #RAT #RPC #Rust #SQL #bot #AlienVault