Do Son 
macOS.Gaslight sample on VirusTotal Jun 23, 2026 | Image: SentinelLABS
At a glance
- Malware Family: macOS.Gaslight
- Threat Actor: High confidence DPRK-aligned (North Korea)
- Target or Victims: macOS users
- Delivery Vector: Unknown initial vector (discovered in the wild)
- Key Capabilities: Information stealing, interactive shell, LLM prompt injection
- Source: SentinelLABS
TL;DR
SentinelLABS discovered the macOS Gaslight malware. This Rust backdoor attacks security analysts using prompt injection to break AI triage tools. Furthermore, it steals browser data and passwords while hiding its communications from defenders.
Delivery
The exact initial delivery vector remains unknown. Researchers first spotted the sample on VirusTotal in late May 2026. The binary carries an ad hoc signature. It bypassed detection by standard static antivirus engines. However, Apple updated its XProtect signatures to catch the file based on its hash. The Apple system tags the file as a BONZAI variant. Security experts track the BONZAI family alongside North Korean threat groups.
Infection chain
Once executed, the macOS Gaslight malware installs a persistence mechanism. It creates a LaunchAgent that mimics a legitimate Apple system service. The malware then drops a hidden Python stealer. It downloads a standalone Python interpreter directly from a public repository. This allows the malware to run without relying on the host system configuration.
The payload contains a base64-encoded Python script. Once decoded, this script targets Chrome, Safari, Firefox, and Brave browsers. It takes a snapshot of running processes and system hardware. The script also extracts sensitive data, including login keychains and terminal histories.
Command-and-control and data exfiltration
The Rust backdoor communicates using a Telegram bot polling loop. The operators gain an interactive shell. They can execute shell commands, terminate processes, and upload files. The malware encrypts all payloads using AES-GCM over certificate-pinned TLS connections. This hides the traffic from network security tools.
Additionally, the malware deletes its own Telegram bot token from error logs. This self-redaction prevents defenders from finding the token in crash artifacts. Meanwhile, the Python stealer zips the harvested data. It then sends this archive back to the attackers over the encrypted Telegram channel.
Analyst prompt injection
The most unique feature is its attack on security tooling. The binary holds 3.5 kilobytes of fake system messages. These messages try to confuse AI-assisted analysis tools. The malware surrounds fake error messages with markdown fences. This tricks the AI into reading them as trusted system instructions.
According to a SentinelLABS analysis, the payload is “built to steer an LLM-assisted triage pipeline into aborting or refusing its analysis.” The fake messages claim that memory is full or tokens are expired. It attacks the agent’s perception rather than the sandbox environment.
Defense or detection guidance
Network defenders should monitor for unexpected Python interpreter downloads. Security teams must check for fake system services in the LaunchAgent folders. The malware uses the label com.apple.system.services.activity to hide.
Analysts building LLM tools must treat sample content carefully. The report warns that developers should treat file contents as “adversarial input, never as instructions.” Finally, keeping macOS XProtect updated will block known variants of this threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
