SentinelLabs has published an analysis of macOS.Gaslight, a Rust-based implant assessed with high confidence to be part of a cluster of North Korea-aligned macOS malware activity. The implant, discovered in early June 2026, combines credential theft, persistent shell access, and a novel technique that uses prompt-injection to mislead LLM-based malware analysis tools into returning clean verdicts.
What Happened
macOS.Gaslight achieves persistence via a LaunchAgent configured with the label com.apple.system.services.activity, masquerading as a legitimate Apple system process. The implant communicates with operators through the Telegram Bot API using AES-GCM-encrypted payloads, and uses certificate pinning to prevent traffic inspection. A bundled Python stealer harvests credentials from Chrome, Firefox, Safari, and Brave browsers, collects terminal history files, and dumps the macOS login keychain. CPython 3.10 is fetched at runtime from a public package repository to run the stealer component without embedding the interpreter in the malicious binary.
The technique that distinguishes macOS.Gaslight from prior DPRK macOS tooling is a 3.5-kilobyte blob of fabricated system messages embedded in the binary. The blob contains 38 fake log entries including simulated memory errors, token expiration warnings, and build failure messages, constructed to resemble benign developer output. When an LLM-assisted analysis tool processes the binary and encounters these strings, SentinelOne observed it concluding the file was a legitimate development artifact and aborting further analysis. SentinelOne advises security teams to treat any content embedded in analyzed samples as potentially adversarial input rather than factual context.
Why It Matters
macOS.Gaslight represents an early instance of threat actors building prompt-injection as a defensive capability directly into malware rather than using it as an offensive attack vector against victims. As security operations centers expand use of LLM-assisted triage for initial malware review, the viability of AI-targeted evasion becomes a direct operational risk. A tool that returns a clean verdict on a malicious binary removes it from analyst queues and extends dwell time.
What Defenders Should Do
Monitor macOS endpoints for LaunchAgent entries that use Apple-namespace label patterns but were not installed by Apple software update. Network controls should alert on or block Telegram Bot API connections originating from enterprise endpoints, which are not consistent with legitimate business use on managed systems. When applying AI-assisted malware analysis, cross-validate verdicts with static analysis and sandboxing tools that do not process embedded string content as contextual instructions. SentinelOne has published full indicators of compromise for macOS.Gaslight including file hashes and the malicious LaunchAgent identifier.
For additional coverage of sophisticated enterprise-targeted backdoor campaigns, see CyberTech’s report on KongTuke Access Broker deploying the Mistic backdoor across insurance and IT sectors.
Source: SentinelOne Labs