SentinelOne's SentinelLABS analyzed a Rust-based macOS implant dubbed macOS.Gaslight and reported that its operators embedded prompt injection aimed not at the sandbox but at the analyst's own LLM-assisted analysis tools. Beyond stealing data, the malware is notable for trying to 'talk' an AI's initial review into aborting or refusing.
macOS Threat Intelligence · SentinelOne Labs
macOS.Gaslight: The First State-Linked Malware Built to Gaslight the Analyst's AI
A Rust macOS backdoor attributed with high confidence to the DPRK-linked "BONZAI" cluster pairs routine data theft with a novel twist — a prompt-injection payload aimed not at the sandbox, but at the LLM tools that triage it.
38
fake "system" messages spoofing an LLM triage harness
0/61
static engine detections on first upload (May 22)
3.5KB
Markdown block carrying the injection payload
Prompt-injection scale vs. prior art
Earlier proofs-of-concept embedded a single injection. Gaslight stacks a full cascade of harness-spoofing messages — a step change in scale.
1
prior Windows PoC (2025)
38
macOS.Gaslight (this case)
Fake warnings mimic token expiry, OOM, disk exhaustion & injection flaws — using a {{DATA}} token to feign hand-off and make AI pipelines abort or misclassify.
Attack toward "the agent's perception"
Implant sample
Rust Mach-O captured for triage
→
Analyst's LLM
reads the 38 fake harness messages
→
Triage aborts
refusal or misclassification
Technical profile
C2 channel
Telegram Bot API — AES-GCM, cert pinning, getUpdates poll loop
Persistence
com.apple.system.services.activity
Data theft
Browsers, Keychain, terminal history, process & system data via staged CPython 3.10.18
Attribution
DPRK-linked cluster BONZAI (high confidence)
Why it's notable
An evolved technique that targets analysts' LLM tools directly — a 38-message harness-spoofing cascade seen as unique to this case.
Its limits
Theft routines are routine; despite static evasion it was caught by behavioral analysis and XProtect hash detection. AI evasion isn't flawless — a warning to keep a manual verification layer.
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…