macOS.Gaslight: North Korea-Linked Malware That Tries to Gaslight the Analyst

macOS.Gaslight: DPRK Rust implant for Mac with a prompt injection payload designed to fool AI-based malware analysts.

SentinelLabs researchers spotted a Rust-based macOS implant, dubbed macOS.Gaslight, that surfaced in early June after an Apple XProtect update pointed to a VirusTotal sample uploaded on May 22. The binary was undetected by static engines at the time of writing. They named it macOS.Gaslight, and the name is earned.

“The sample is a macOS implant and infostealer written in Rust. Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session.” reads the report published by SentinelLabs. “It attacks the agent’s perception, rather than the sandbox it runs in. Accordingly, we dub this family macOS.Gaslight.”

The embedded payload is 3.5 KB of Markdown-fenced hostile data containing 38 fabricated “system” messages, simulating fake token expiry notices, out-of-memory kills, disk exhaustion warnings, and bogus static analysis flags.

These messages were used to trick analysts.

“What makes the sample notable is its attempt to mislead the analyst reading the output. It carries a 3.5 KB Markdown-fenced blob of hostile data containing 38 fabricated “system” messages delimited with {{DATA}} tokens.” continues the report. “The {{DATA}} tokens and the surrounding Markdown fence mimic an LLM triage harness’s own prompt scaffold, blurring the boundary between untrusted sample data and trusted instructions.”

The structure mimics the prompt scaffold an LLM triage harness uses internally, blurring the line between untrusted sample data and trusted instructions. The goal is to get the AI analyst to abort, truncate, or refuse analysis before it reaches anything interesting.

Similar prompt-injection techniques have been seen before, including Windows PoCs documented by Check Point in 2025 and supply-chain payloads like Hades and Shai-Hulud, which used simpler single-block injections rather than this more complex multi-message setup.

Command and control runs over Telegram’s Bot API in a polling loop. All payloads are encrypted with AES-GCM using a fresh nonce per message, and the implant pins its TLS certificate to a custom trust anchor, which means standard proxy inspection doesn’t work. It also reads the host’s proxy settings and routes traffic accordingly, so it still reaches the operator on networks that force outbound connections through a corporate proxy.

“When the URL path segment is the 4-byte literal ‘file’, the constructor substitutes the token that follows with the hardcoded placeholder file/token:redacted, preventing the live bot credential from appearing in any diagnostic output or error string the implant produces at runtime.” states the report.

This self-redaction routine is apparently novel. Most documented Telegram bot malware embeds recoverable tokens; here, even if you capture process logs or crash artifacts, the bot token isn’t in them. It’s only in the runtime config, which isn’t in this sample.

The operator gets an interactive shell with six commands: identify the implant, run shell commands, kill processes by PID, upload files, and halt the implant. The implant also creates a power management assertion to prevent system sleep, keeping the polling loop alive during idle periods.

The malware uses a LaunchAgent with the label com.apple.system.services.activity, impersonating Apple’s own namespace, to achieve persistence. The researchers pointed out that this is a well-documented North Korean macOS tactic.

The data collection side is a gated Python stealer that runs only when the operator enables it via config.

“A separate 2 KB base64-encoded bash installer fetches and stages a self-contained cpython-3.10.18 interpreter from the astral-sh/python-build-standalone project. The installer, a prerequisite for deploying the Python stealer, carries the literal constants PY_VERSION=3.10.18 and BUILD_DATE=20250708 and targets both arm64 and x86_64 macOS.” continues the report. “The widespread use of emojis and strict adherence to comment headers are consistent with LLM-generated output.”

Once the Python environment is staged, the stealer harvests Chrome, Brave, Firefox, and Safari browser data, terminal histories, installed application listings, a running process snapshot, a system profile, and a raw copy of login.keychain-db. Everything goes to the operator via Telegram file upload.

SentinelLABS links the sample to DPRK-aligned activity based on Apple’s own XProtect rule, which tags the binary under MACOS_BONZAI_COBUCH, a family SentinelLABS associates with North Korean threat activity. A sibling sample is also caught by Apple’s AIRPIPE rule, tied to the same cluster. The operator config schema includes Linux and GitHub fields that aren’t exercised in this sample, suggesting this binary is one component of a broader toolset built for multiple platforms.

Analysts building LLM-assisted triage pipelines should treat everything inside a sample as adversarial input, never as instructions.

“macOS.Gaslight is noteworthy for its analyst-targeting prompt injection, an attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop.” concludes the report. “Anyone building such tooling should treat the contents of the samples they triage as adversarial input, never as instructions, and be prepared to keep hostile content out of the model entirely. As LLM-assisted analysis becomes routine, defenders should expect more samples built to exploit it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, macOS)