macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox
A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.
AI Analysis
Technical Summary
macOS.Gaslight is a Rust-based implant for macOS that employs a novel prompt-injection payload containing fabricated system messages to interfere with LLM-assisted malware analysis. It uses encrypted communications over Telegram Bot API with certificate pinning and self-redaction to conceal its bot token. The implant offers operators an interactive shell, system reconnaissance, and credential theft capabilities via a Python script that targets sensitive user data such as browser credentials, keychains, and command histories. It dynamically fetches CPython interpreters at runtime and maintains persistence through a LaunchAgent disguised as an Apple system service. The threat is assessed with high confidence as DPRK-aligned and marks a significant advancement in adversarial tactics aimed at analysts rather than traditional sandbox environments.
Potential Impact
The implant enables attackers to gain interactive shell access, collect detailed system information, and steal sensitive credentials including browser data and keychain items. Its encrypted and certificate-pinned communications reduce detection likelihood. The prompt-injection payload is designed to mislead and disrupt analysis by security researchers using large language models. Persistence mechanisms allow long-term presence on infected macOS systems. The attribution to DPRK-aligned actors indicates a high level of sophistication and targeted threat activity. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
No official patch or remediation is currently available for this threat. Since this is a malware implant rather than a software vulnerability, mitigation focuses on detection and removal. Security teams should monitor for indicators of compromise such as the provided file hashes and suspicious LaunchAgent entries masquerading as Apple system services. Network monitoring for unusual Telegram Bot API traffic may assist in detection. Given the advanced evasion techniques, use of endpoint detection and response (EDR) solutions with behavioral analysis is recommended. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- hash: 5555494492fc075f441637fb9d894913dde3a2ea
- hash: 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525
- hash: 77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca
- hash: b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394
- hash: baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox
Description
A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
macOS.Gaslight is a Rust-based implant for macOS that employs a novel prompt-injection payload containing fabricated system messages to interfere with LLM-assisted malware analysis. It uses encrypted communications over Telegram Bot API with certificate pinning and self-redaction to conceal its bot token. The implant offers operators an interactive shell, system reconnaissance, and credential theft capabilities via a Python script that targets sensitive user data such as browser credentials, keychains, and command histories. It dynamically fetches CPython interpreters at runtime and maintains persistence through a LaunchAgent disguised as an Apple system service. The threat is assessed with high confidence as DPRK-aligned and marks a significant advancement in adversarial tactics aimed at analysts rather than traditional sandbox environments.
Potential Impact
The implant enables attackers to gain interactive shell access, collect detailed system information, and steal sensitive credentials including browser data and keychain items. Its encrypted and certificate-pinned communications reduce detection likelihood. The prompt-injection payload is designed to mislead and disrupt analysis by security researchers using large language models. Persistence mechanisms allow long-term presence on infected macOS systems. The attribution to DPRK-aligned actors indicates a high level of sophistication and targeted threat activity. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
No official patch or remediation is currently available for this threat. Since this is a malware implant rather than a software vulnerability, mitigation focuses on detection and removal. Security teams should monitor for indicators of compromise such as the provided file hashes and suspicious LaunchAgent entries masquerading as Apple system services. Network monitoring for unusual Telegram Bot API traffic may assist in detection. Given the advanced evasion techniques, use of endpoint detection and response (EDR) solutions with behavioral analysis is recommended. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/"]
- Adversary
- DPRK-aligned
- Pulse Id
- 6a3b512d529a1b06d095af2b
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash5555494492fc075f441637fb9d894913dde3a2ea | — | |
hash6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525 | — | |
hash77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca | — | |
hashb3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394 | — | |
hashbaabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239 | — |
Threat ID: 6a3c168aeed863c81e352e53
Added to database: 06/24/2026, 17:40:26 UTC
Last enriched: 06/24/2026, 17:54:15 UTC
Last updated: 06/24/2026, 18:25:51 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.