Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
AI

macOS.Gaslight: malware that prompt-injects your SOC

Martynas VareikisBy Martynas VareikisJuly 16, 2026No Comments8 Mins Read15 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
macOS.Gaslight: malware that prompt-injects your SOC, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

SentinelLABS has analysed macOS.Gaslight, a Rust macOS backdoor that hides a 3.5 KB prompt-injection payload of 38 fabricated “system” messages designed to steer an LLM-assisted malware-triage pipeline into aborting or refusing its analysis. Under the injection sits a conventional credential stealer, an interactive shell, and a hardened Telegram command-and-control channel. Researcher Phil Stokes disclosed the sample on June 23, 2026, and attributes it with high confidence to a North Korea-aligned cluster. It is the first widely reported implant built to attack the analyst’s AI, not the sandbox it runs in.

The technique matters because AI-assisted triage is now sitting in the reverse-engineering loop at most SOCs and vendors. macOS.Gaslight does not try to defeat a sandbox or a debugger in the usual way. It targets the perception of the LLM agent reading the sample, feeding it counterfeit failure messages so the model doubts its own session and stops. This piece breaks down how the injection works, what the malware does underneath it, why attribution points to Pyongyang, and what teams running AI-assisted analysis should change.

// KEY FACTS

Threat actor
”DPRK-aligned
Victim
”AI-assisted · ”Cybersecurity,
Data claimed
”3.5 · ”Keychain,
Ransom status
”Not
Verification
”Analysed

What is macOS.Gaslight?

macOS.Gaslight is a Rust-based macOS implant and infostealer whose defining feature is an embedded cascade of fake system-failure messages aimed at an AI triage agent rather than a human analyst or a sandbox. SentinelLABS named the family for that behaviour: it tries to gaslight the model into believing its own analysis run has failed. An early June Apple XProtect update surfaced the Mach-O sample, which had been uploaded to VirusTotal on May 22, 2026. The binary is ad-hoc signed, carries the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea, and at the time of SentinelLABS’ write-up remained undetected by static engines on VirusTotal.

Underneath the novelty it is a capable espionage tool. It bundles a gated Python stealer that copies the login keychain, browser data from Chrome, Brave, Firefox, and Safari, terminal command histories, an installed-application listing, a running-process snapshot, and a full system profile. It persists as a LaunchAgent masquerading in Apple’s own com.apple.* namespace, and it exfiltrates over an encrypted Telegram channel. This is the tradecraft behind most modern infostealer campaigns. What is new is the wrapper.

How does the prompt injection work?

The implant carries a 3.5 KB Markdown-fenced blob of hostile data containing 38 fabricated “system” messages, delimited with {{DATA}} tokens. Those tokens and the surrounding Markdown fence mimic the prompt scaffold of an LLM triage harness, deliberately blurring the line between untrusted sample data and trusted instructions. When an AI agent ingests the binary’s strings and passes them into a model, the injected block reads like the harness talking to itself.

The content is chosen to make the model give up. The scaffold plants fake messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures, plus bogus warnings about injection vulnerabilities and static-analysis flags. The aim, in SentinelLABS’ words, is to push an LLM agent into aborting, truncating, or refusing analysis. If the model believes its session is broken or that the sample is too dangerous to continue on, it stops before it reaches the stealer and the C2 logic. This is indirect prompt injection turned against the defender, the same class of attack we mapped for application developers in our prompt injection defender’s playbook, but pointed at the security team’s own tooling.

Is this the first analyst-targeting prompt injection?

No, but it is the most developed one documented so far. Check Point publicly described this class of attack in 2025 with a Windows proof of concept that used a single direct-instruction injection to evade AI-based detection. Since then, Socket documented a Hades supply-chain payload whose stealer opens with a fake prompt-injection header, and the leaked Shai-Hulud code carried an “Anthropic Magic String” meant to stop Claude Code from analysing it. Each of those relied on a single injected block or header. macOS.Gaslight escalates to a 38-message cascade that spoofs the entire harness, which is a meaningful step up in effort and sophistication.

There is a second AI tell in the sample, and it points the other way. The bash installer that stages the Python interpreter carries heavy emoji use and rigid comment headers consistent with LLM-generated output. In other words, the operators appear to be using AI to write parts of their malware while also building payloads specifically to defeat AI defenders. Both sides of the loop are being automated at once.

What does the malware do underneath?

Command-and-control runs over a Telegram Bot API polling loop, with all payloads encrypted using AES-GCM and a fresh per-message nonce. The implant configures a custom certificate trust anchor and calls SecTrustSetAnchorCertificatesOnly, pinning TLS trust so a standard proxy CA cannot intercept the traffic, while still honouring the host’s system proxy so it works inside managed enterprise networks. After the bot token validates, the operator gets an interactive shell with six verbs: help, id, shell, kill, upload, and stop, with hints of a seventh (focus) that SentinelLABS could not fully recover.

Two operational-security touches stand out. The implant creates an IOPMAssertionCreateWithName power assertion to stop the machine sleeping, sustaining long-running collection across idle periods. And it self-redacts its own Telegram bot token in any runtime output: when the URL path segment is the literal “file”, the constructor substitutes the token with the placeholder file/token:redacted, denying the live credential to anyone who captures logs or crash artifacts. SentinelLABS notes that runtime self-redaction like this appears novel relative to prior Telegram-abuse reporting, where tokens are usually recoverable.

Why is this attributed to North Korea?

SentinelLABS assesses with high confidence that macOS.Gaslight sits within a cluster of DPRK-aligned macOS activity. Apple’s XProtect detects the sample under the rule MACOS_BONZAI_COBUCH, and SentinelLABS ties the BONZAI signature family to North Korean threat activity. A sibling BONZAI sample is additionally caught by Apple’s AIRPIPE rule, another family the team links to the same actor set. The keychain-and-browser collection pattern also matches earlier DPRK-associated macOS stealers, including the Atomic macOS Stealer lineage and a 2023 Rust stealer that targeted the same login.keychain-db file.

What should defenders do?

Treat every sample as adversarial input to your AI, never as instructions. Any team running LLM-assisted triage should isolate sample strings from the model’s instruction context, strip or neutralise Markdown fences and harness-like delimiters before they reach the prompt, and never let raw sample content occupy the same trust level as the system prompt. If your pipeline can be talked out of finishing by text inside the file it is analysing, it is not ready for hostile samples. SentinelLABS’ guidance is blunt: be prepared to keep hostile content out of the model entirely.

On the endpoint, the conventional controls still apply. Hunt for the LaunchAgent label com.apple.system.services.activity, watch for unexpected outbound Telegram Bot API traffic, and alert on processes reading login.keychain-db alongside browser credential stores. The indicators of compromise are published in SentinelLABS’ write-up. The larger point is strategic: as AI-assisted analysis becomes routine, expect more samples engineered to exploit it, and design the pipeline on the assumption that attackers know it is there.

Frequently asked questions

What is macOS.Gaslight?

macOS.Gaslight is a Rust macOS backdoor and infostealer disclosed by SentinelLABS in June 2026. Its signature feature is a prompt-injection payload of 38 fake system messages meant to make an AI-assisted malware-triage agent abort its analysis.

How does macOS.Gaslight defeat AI analysis?

It embeds a 3.5 KB block of fabricated “system” messages using {{DATA}} tokens and Markdown fences that mimic an LLM triage harness. The fake failures about token expiry, memory, and disk push the model to truncate or refuse the analysis before reaching the malicious code.

Who is behind macOS.Gaslight?

SentinelLABS attributes it with high confidence to a North Korea-aligned cluster, based on Apple XProtect BONZAI-family signatures and collection patterns that match earlier DPRK-associated macOS stealers.

What data does macOS.Gaslight steal?

A gated Python module copies the macOS login keychain, browser data from Chrome, Brave, Firefox, and Safari, terminal command histories, installed applications, a process snapshot, and a full system profile, then exfiltrates them over an encrypted Telegram channel.

Is analyst-targeting prompt injection new?

The idea was demonstrated by Check Point in 2025 and appeared in the Hades and Shai-Hulud payloads, but those used a single injected block. macOS.Gaslight is the first documented case of a full 38-message cascade spoofing an entire triage harness.

How do I protect an AI-assisted triage pipeline?

Treat sample content as untrusted data, never instructions. Separate sample strings from the model’s system prompt, neutralise harness-like delimiters, and be ready to exclude hostile content from the model entirely.

Sources and further reading

  • SentinelLABS: macOS.Gaslight, Rust backdoor turns prompt injection on the analyst, not the sandbox
  • The Hacker News: New Gaslight macOS malware uses prompt injection to disrupt AI-assisted analysis
  • BleepingComputer: New macOS malware embeds fake errors to confuse AI analysis tools
  • Ransomnews: Prompt injection: the 2026 LLM defender’s playbook
  • Ransomnews: Agentic AI threats: how MCP becomes an attack chain
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleThe Gentlemen weaponised a Kontron driver to kill EDR
Next Article Shadow AI is the new stealer-log jackpot in 2026
Martynas Vareikis

Martynas Vareikis is the AI Editor at Ransomnews. He covers the intersection of artificial intelligence and information security — from machine-learning models in defensive tooling to the adversarial use of LLMs by ransomware operators, deepfake-driven social engineering, and the rise of agentic threats. His reporting focuses on translating fast-moving AI research into practical guidance for defenders, journalists, and the broader security community. Reach Martynas via [email protected].

Related Posts

Vibe coding is shipping vulnerabilities at scale in 2026

July 16, 2026

Prompt injection left the lab in 2026. It is in the wild now

July 16, 2026

Shadow AI is the new stealer-log jackpot in 2026

July 16, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.