Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
Key Takeaways A new macOS malware, dubbed “Gaslight,” employs prompt injection to evade AI-driven security analysis tools. Attributed to North Korean threat actors, Gaslight is written in...
Key Takeaways
- A new macOS malware, dubbed “Gaslight,” employs prompt injection to evade AI-driven security analysis tools.
- Attributed to North Korean threat actors, Gaslight is written in Rust and focuses on data exfiltration and backdoor functionality.
- The malware embeds 38 deceptive system messages to trick AI agents into prematurely terminating analysis.
- Apple has updated its XProtect built-in detection, and 29 security vendors on VirusTotal now flag the threat, though code variations remain a risk.
- Organizations should combine AI-powered security with traditional detection methods to counter evolving evasion techniques.
Emergence of Gaslight: A New macOS Threat
A novel macOS malware, identified as Gaslight, has emerged, introducing an unprecedented evasion technique designed to circumvent AI-powered security systems. This sophisticated threat, developed in Rust and linked to North Korean state-sponsored hacking groups, distinguishes itself not merely by its data theft capabilities but by its active efforts to mislead AI analysis.
Table Of Content
Apple has responded swiftly to this new threat. In early June, the company updated XProtect, its native macOS malware detection feature, with a specific rule to identify and block Gaslight. By June 30, a significant number of security vendors—twenty-nine in total—were flagging the malicious file on VirusTotal. However, the modular nature of the malware means that attackers can still modify its code to bypass current detection mechanisms.
Researchers at Moonlock have been closely monitoring the Gaslight campaign, noting its alignment with broader patterns of North Korean cyber operations targeting Mac users. These threat actors frequently employ social engineering tactics, impersonating recruiters, game developers, or software testers to trick victims into downloading infected files. In a report shared with Cyber Security News (CSN), SentinelOne said in a report that it named this malware Gaslight, attributing it to North Korean entities based on distinct coding styles and infrastructure choices.
Upon successful installation, Gaslight is capable of exfiltrating sensitive data, including browser histories from Chrome, Brave, Firefox, and Safari, terminal command logs, lists of installed applications, and the encrypted macOS keychain file, which stores passwords. Furthermore, it establishes a backdoor, enabling attackers to issue commands and deploy additional payloads to compromised systems.
Gaslight’s Prompt Injection Mechanism
What truly sets Gaslight apart is its innovative method of concealment rather than its specific data exfiltration targets. The malware incorporates thirty-eight fabricated system messages, embedded as plain text, meticulously crafted to mimic the diagnostic outputs typically generated by AI security tools during their scanning processes.
These deceptive messages include phrases such as “token logic seems flaky,” “connection timeout,” and the succinct “Crash.” The primary objective is to deceive an AI agent into believing that an internal error has occurred, thereby prompting it to prematurely halt its analysis and fail to flag the file as malicious.
Crucially, the AI systems themselves are not technically compromised. Instead, the malware exploits how these tools interpret textual data—a technique that, until now, has largely remained in the realm of theoretical discussion. This evasion method is particularly concerning given the increasing reliance on AI-driven security agents like SentinelOne Singularity, Claude Code, and CrowdStrike Falcon for automated Mac threat detection, especially within corporate environments.
Technical Deep Dive into Gaslight
Despite its relatively small size of 2.24 MB, Gaslight is a potent piece of malware. It leverages Serde, a legitimate Rust framework, to load configuration data that dictates the behavior of its various modules.
Embedded within the main executable is a 6.6 KB Python script, base64-encoded, which is responsible for the actual data exfiltration. A separate, approximately 2 KB bash installer script is designed to fetch and execute this Python script after being downloaded from the attackers’ command-and-control (C2) servers.
For C2 communications, Gaslight utilizes a Telegram bot. This communication channel is secured using AES-GCM encryption and configured with a custom certificate, allowing it to bypass standard network inspection. The bot’s access token is also self-redacted, complicating traffic analysis for security researchers, and its design ensures functionality even when operating behind enterprise proxy servers.
Notably, Gaslight deviates from typical North Korean malware campaigns by not appearing to target cryptocurrency wallets. This absence is a significant departure, given the historical focus of these groups on digital asset theft.
What You Should Do
- Exercise Extreme Caution with Unexpected Files: Be highly suspicious of unsolicited job offers, meeting software, or developer test files, as phishing remains the primary infection vector for Gaslight.
- Maintain Updated Antimalware Software: Ensure that your antimalware solutions are up-to-date and configured with real-time scanning capabilities to detect and block threats like Gaslight before they can execute.
- Implement Multi-Layered Security: For enterprises relying on AI-driven security agents (e.g., SentinelOne Singularity, Claude Code, CrowdStrike Falcon), supplement these tools with traditional detection methods. Text-based evasion tactics can undermine automated triage alone.
- Educate Users: Conduct regular cybersecurity awareness training to inform users about social engineering tactics and the importance of verifying software sources.
- Monitor Network Traffic: Implement robust network monitoring to detect unusual communication patterns, especially those involving encrypted Telegram channels or attempts to bypass enterprise proxies.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.