Gaslight macOS Malware Uses Prompt Injection to Disrupt AI Security Analysis
A newly documented macOS malware family called Gaslight is using prompt injection to interfere with AI-assisted malware analysis. The Rust-based implant hides fake system messages inside its binary in an attempt to make automated LLM triage tools stop, truncate, or refuse analysis.
The finding comes from SentinelOne, which tracks the threat as macOS.Gaslight and assesses with high confidence that it belongs to a cluster of North Korea-aligned macOS activity. The malware combines a backdoor, information-stealing capabilities, Telegram-based command and control, and an unusual analyst-targeting prompt-injection payload.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Gaslight matters because security teams increasingly use AI tools to speed up malware triage and reverse engineering. The malware does not hack those tools directly. Instead, it places hostile text where an AI analysis assistant may read it and mistake it for system-level context.
What makes Gaslight different?
Most macOS malware tries to hide from users, sandboxes, antivirus engines, or endpoint detection tools. Gaslight adds a newer twist: it tries to confuse AI systems that help analysts interpret suspicious files.
According to Moonlock, the malwareโs AI-facing trick is simple but important because automated Mac security agents are becoming more common in enterprise environments. The embedded text looks like system failures, debugging output, or analysis errors rather than obvious malware logic.
The malware contains 38 fabricated system messages in a Markdown-style block. These messages include fake warnings about token expiry, memory problems, disk issues, connection failures, and static-analysis alerts. Their goal is to make an LLM-assisted triage pipeline doubt the analysis session or stop processing the sample.
| Feature | Gaslight behavior |
|---|---|
| Platform | macOS |
| Language | Rust |
| Threat type | Backdoor and information stealer |
| Attribution | Assessed as DPRK-aligned activity |
| Command and control | Telegram Bot API polling loop |
| Notable evasion method | Prompt injection aimed at LLM-assisted analysis |
| Apple detection reference | Detected by XProtect under a BONZAI-related rule, according to SentinelOne |
How the prompt injection works
Gaslight carries a 3.5 KB block of fabricated messages that imitate the kind of internal output an LLM triage harness might process. The text uses formatting and placeholders that can blur the line between untrusted malware strings and trusted tool instructions.
The SentinelOne report says the messages are designed to push an LLM agent into aborting, truncating, or refusing analysis. That makes the technique different from traditional anti-sandbox behavior because it targets the analystโs AI workflow rather than the malware execution environment.
This is the key risk for defenders. If a security workflow copies raw strings from malware into an AI assistant without isolation, the model may treat hostile sample content as instructions. That can reduce analysis quality or cause missed findings.
- Fake token-expiration messages can make the model think its session has failed.
- Fake memory or disk errors can make the analysis appear incomplete.
- Fake static-analysis warnings can redirect attention away from the real payload.
- Markdown formatting can make the malicious text look like part of the analysis scaffold.
Gaslight also behaves like a traditional macOS stealer
The prompt-injection technique is the headline feature, but Gaslight still has familiar malware capabilities. It can maintain access through a LaunchAgent, accept operator commands, collect host information, and support file exfiltration through Telegram.
The malware also includes a base64-encoded Python collection script. Reporting from The Hacker News says the script gathers Terminal command histories, installed app listings, process snapshots, system profile data, macOS Keychain database material, and browser data from Chrome, Brave, Firefox, and Safari.
Gaslight uses Telegram as its command-and-control channel and adds operational-security protections around the bot token. The implant can redact its own Telegram token from runtime output, which makes it harder for analysts to recover the live bot credential from logs or crash artifacts.
What data can Gaslight collect?
Gaslightโs collection modules focus on the kinds of data that help attackers understand a Mac, steal account access, and continue a compromise. For businesses, developer machines and executive Macs may carry especially valuable credentials, tokens, and browser sessions.
The Hacker News notes that the Python stealer compresses collected data into an archive and uploads it through Telegram. That workflow gives attackers both an interactive backdoor and a secondary data-theft path.
| Data or capability | Why it matters |
|---|---|
| Browser data | Can expose sessions, cookies, saved credentials, and browsing context |
| Terminal history | Can reveal commands, servers, paths, and development activity |
| Installed applications | Helps attackers profile the victim and choose follow-up actions |
| Running processes | Shows active tools, security software, and user workflows |
| Keychain database material | Can support later credential theft or offline analysis |
| Interactive shell | Allows operators to run commands after infection |
Apple XProtect is part of the response
Appleโs built-in macOS defenses include XProtect, which checks apps when they first launch, when apps change, and when XProtect signatures update. Appleโs macOS malware protection documentation says XProtect can block known malware, move it to the Bin, and alert the user in Finder.
SentinelOne said an Apple XProtect update surfaced the Gaslight sample in early June and that Apple detects the sample under a BONZAI-related rule. However, the same research warned that the XProtect detection targets the file by hash, which means modified variants may require additional detection logic.

This is why endpoint security teams should not rely on a single indicator. Hash-based detection helps when the exact file appears, but malware authors can recompile or modify a sample to produce a different hash while keeping similar behavior.
Why North Korea-linked macOS malware keeps appearing
Gaslight fits a broader pattern of North Korea-aligned operations against Mac users, developers, cryptocurrency workers, and technology-sector targets. These campaigns often use social engineering instead of a visible software vulnerability.
Moonlock said attackers commonly use lures involving recruiters, game developers, software testing, and unexpected files. Those themes work because victims may expect to download projects, meeting tools, test builds, or shared archives during normal work.
The prompt-injection element also reflects a larger shift. As AI enters security operations, attackers will test whether AI-assisted tools can be manipulated with the same untrusted input they already use against users and applications.
- Fake recruiter messages can deliver malicious files to job seekers and developers.
- Fake test builds can target engineers who expect to run unfamiliar software.
- Fake collaboration files can exploit trust in remote work workflows.
- AI-assisted analysis can become a new target if tools mix malware content with trusted prompts.
How security teams should respond
Organizations should treat Gaslight as both a macOS malware issue and an AI workflow security issue. The immediate priority is to detect and block the malware, but teams also need to harden the way AI tools inspect untrusted files.
The OWASP Top 10 for LLM Applications lists prompt injection as a major LLM security risk. In malware analysis, that means defenders should assume that any text extracted from a sample could contain instructions designed to manipulate an AI assistant.

- Keep macOS and XProtect security updates enabled across all managed Macs.
- Search for the SentinelOne indicators of compromise in endpoint and telemetry data.
- Block unexpected Telegram Bot API traffic from sensitive endpoints where possible.
- Limit access to Keychain, browser data, SSH keys, cloud tokens, and developer secrets.
- Run suspicious files in isolated analysis environments instead of production Macs.
- Keep malware strings separate from system prompts in AI-assisted triage tools.
- Require human review before an AI tool stops, suppresses, or downgrades malware findings.
What Mac users can do now
Mac users should avoid opening unexpected files from recruiters, game projects, software testing offers, or unknown collaborators. This advice matters even more for developers, crypto workers, security researchers, and employees with access to sensitive corporate systems.
Appleโs XProtect guidance explains that macOS uses several built-in technologies to detect and remove malware, but users should still avoid bypassing warnings or running untrusted software manually.
- Install macOS security updates as soon as they become available.
- Download apps only from trusted sources.
- Do not run scripts or binaries sent through unsolicited messages.
- Use a password manager and avoid storing secrets in plain text files.
- Review browser extensions and remove anything unknown.
- Report suspicious recruiter or testing lures to your security team.
AI security tools need stronger input isolation
Gaslightโs most important lesson is not that AI tools are useless. It is that AI-assisted analysis tools need strict boundaries between trusted instructions and untrusted malware content.
The OWASP LLM security project warns that models can be influenced by crafted inputs. For security teams, that means malware strings, logs, binaries, websites, emails, and tool output should all count as adversarial data until proven otherwise.
Gaslight turns that theory into a practical warning for Mac defenders. Malware authors now know that analysts use LLMs, and they are beginning to write samples that speak directly to those systems. The safest response is layered defense: updated endpoint controls, careful user training, sandboxed analysis, and AI workflows that never let hostile sample text become trusted instruction.
FAQ
Gaslight is a Rust-based macOS implant tracked by SentinelOne as macOS.Gaslight. It works as a backdoor and information stealer, and it includes prompt-injection text designed to interfere with LLM-assisted malware analysis.
Gaslight embeds fabricated system messages inside the malware binary. These messages imitate analysis errors, token issues, memory failures, and other system-like output to make an AI-assisted triage tool stop, truncate, or refuse analysis if the tool treats the malware strings as trusted instructions.
SentinelOne assesses with high confidence that Gaslight belongs to a cluster of DPRK-aligned macOS activity. The attribution is based on malware clustering and related macOS threat activity.
Gaslight can collect browser data, Terminal command history, installed application lists, process snapshots, system profile data, and macOS Keychain database material. It can also provide operators with backdoor access through Telegram-based command and control.
Users should keep macOS security updates enabled, avoid running files from unexpected recruiter or testing messages, use trusted download sources, limit exposed credentials, and report suspicious lures. Security teams should also isolate AI-assisted malware analysis from untrusted sample content.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages