macOS.Gaslight: DPRK Rust implant attacks LLM-based malware triage

SentinelLABS published its analysis of macOS.Gaslight on June 23, 2026 — a Rust-built macOS backdoor whose distinguishing feature is a small prompt-injection payload aimed at the analyst's LLM, not at the sandbox running the sample. The implant carries a credential and session-data stealer, an interactive shell, a self-staged Python collection chain, and a hardened Telegram Bot API command channel; researcher Phil Stokes assesses it sits inside a cluster of DPRK-aligned macOS activity already tracked by Apple's XProtect under the MACOS_BONZAI_COBUCH signature.

The first sample (SHA-256 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525) was uploaded to VirusTotal on May 22, 2026 and surfaced when an early-June XProtect update started flagging it. As of SentinelLABS' write-up, static engines on VirusTotal were still missing the file.

The prompt-injection payload

The novel piece is a 3.5 KB Markdown-fenced blob of 38 fabricated "system" messages delimited with {{DATA}} tokens. The scaffold imitates an LLM triage session that has gone wrong — token expiry, out-of-memory kills, disk exhaustion, repeated operation failures, false static-analysis findings, fake injection warnings. Embedded in the binary, it is meant to be lifted into the prompt window of an AI agent doing first-pass triage on the sample, and to nudge that agent to declare the run unrecoverable and stop.

Stokes frames the technique plainly: "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session." And: "It attacks the agent's perception, rather than the sandbox it runs in."

This is the first widely-documented macOS implant we are aware of that ships a payload tuned specifically against AI-assisted malware analysis pipelines. The technique is generic — any LLM-fronted analyst tool that drops binary strings or disassembly into a prompt window without isolating untrusted content is a candidate target.

The rest of the implant

Strip the prompt-injection trick and Gaslight is still a competent macOS backdoor:

• Persistence via a LaunchAgent.
• Credential and session-data theft: browser credentials, Keychain dump, system reconnaissance.
• Interactive shell plus a self-staged Python collection chain for richer follow-on tasking.
• C2 is a Telegram Bot API getUpdates polling loop with AES-GCM payloads inside certificate-pinned TLS. The implant self-redacts its Telegram bot token in its own runtime output so log captures and crash dumps don't expose the operator's infrastructure.
• Bot token and configuration are supplied at runtime, not hard-coded — denying analysts the usual quick win of grepping the binary for the channel.

The binary identifier embedded by the build is endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea, consistent with an aarch64 (Apple Silicon) target.

Attribution

SentinelLABS associates the BONZAI signature family that catches Gaslight with North Korea-aligned macOS activity, and notes a sibling sample additionally caught by Apple's AIRPIPE XProtect rule — another family the firm ties to the same actor cluster. The attribution is therefore a confidence claim built on signature genealogy and prior research, not an indictment or sanction — read it as "SentinelLABS attributes the cluster to DPRK," not "DPRK breached…"

Action checklist

1. Update macOS to the latest point release to pick up the XProtect signature set carrying MACOS_BONZAI_COBUCH and AIRPIPE. Apple ships XProtect updates out of band of full OS updates; verify via system_profiler SPInstallHistoryDataType | grep -i xprotect or by inspecting /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara.
2. Hunt for the documented sample by SHA-256 across EDR, MDM, and VirusTotal retrohunt: 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525.
3. Look for the C2 pattern. Telegram Bot API traffic from a Mac endpoint (api.telegram.org, port 443) that is not the user's known Telegram client is the high-value signal — getUpdates polling sustains a roughly constant low-rate TLS conversation. Pair with the absence of a Telegram Desktop or mobile app process.
4. Triage LaunchAgents. Any unsigned, Rust-built binary persisted via ~/Library/LaunchAgents/*.plist or /Library/LaunchAgents/*.plist and dropped outside /Applications warrants a second look; the implant runs as a user-scope agent.
5. Treat AI triage outputs as untrusted when the sample is untrusted. If your malware analysis pipeline routes binary strings, disassembly, or sample metadata through an LLM, sandbox the prompt — strip control tokens, refuse Markdown fences, and require a non-LLM confirmation before declaring a sample benign. Gaslight's payload is the first public proof that the prompt window is now in scope.

Context

Two strands converge here. First, DPRK-aligned macOS tradecraft has been escalating in sophistication for two years — the BlueNoroff and Lazarus subclusters previously documented stealing Keychain credentials, deploying RustBucket and KandyKorn, and weaponizing fake job-interview lures. The MACOS_BONZAI family Apple has been catching since at least late 2025 fits that arc.

Second, prompt injection as a malware capability has been telegraphed by red-team research for a year but, until now, almost entirely as proof-of-concept work on benign files. Gaslight is the first sample we have seen where the prompt-injection blob is part of the shipped implant and is tuned for a specific analyst workflow — the LLM-fronted triage agent. Expect copycats: the technique adds tens of bytes to a binary, costs essentially nothing to integrate, and meaningfully degrades a defense pattern that more SOCs adopted over the last twelve months.

If your incident-response runbook already includes "do not trust strings in untrusted samples," extend the rule to the AI doing the reading.