Ethical Hacking News
In a recent discovery, researchers at SentinelLabs have identified a sophisticated North Korea-linked malware designed to target macOS systems and manipulate AI-based analysts. Dubbed macOS.Gaslight, this malware uses advanced techniques such as prompt injection and custom trust anchors to evade detection and achieve its malicious goals.
macOS.Gaslight is a newly discovered Rust-based malware targeting macOS systems linked to North Korean activity.The malware evades detection using advanced techniques and impersonates Apple's namespace using a LaunchAgent.The payload includes fabricated system messages designed to trick analysts, as well as an interactive shell with six commands.The malware uses AES-GCM encryption and creates a power management assertion to prevent system sleep.The data collection side of the malware harvests browser data and terminal histories via a gated Python stealer.Analysts should treat everything inside a sample as adversarial input, never as instructions.
macOS.Gaslight, a newly discovered Rust-based malware, has been identified as a sophisticated threat that targets macOS systems. This malware is linked to North Korean activity and utilizes advanced techniques to evade detection and manipulate AI-based analysts.
The malware was first detected by SentinelLabs researchers after an Apple XProtect update pointed to a VirusTotal sample uploaded on May 22. The binary, dubbed macOS.Gaslight, is designed to impersonate Apple's own namespace using a LaunchAgent with the label com.apple.system.services.activity, which is a well-documented North Korean tactic.
The malware carries a payload of 3.5 KB of Markdown-fenced hostile data containing 38 fabricated "system" messages that simulate fake token expiry notices, out-of-memory kills, disk exhaustion warnings, and bogus static analysis flags. These messages are designed to trick analysts into aborting or truncating the analysis before it reaches anything interesting.
The malware also uses a polling loop with Telegram's Bot API and encrypts its payloads using AES-GCM with a fresh nonce per message. The implant pins its TLS certificate to a custom trust anchor, making standard proxy inspection difficult.
Furthermore, macOS.Gaslight includes an interactive shell with six commands: identify the implant, run shell commands, kill processes by PID, upload files, and halt the implant. The malware also creates a power management assertion to prevent system sleep, keeping the polling loop alive during idle periods.
The data collection side of the malware is a gated Python stealer that runs only when the operator enables it via config. This stealer harvests Chrome, Brave, Firefox, and Safari browser data, terminal histories, installed application listings, a running process snapshot, a system profile, and a raw copy of login.keychain-db. Everything goes to the operator via Telegram file upload.
SentinelLabs links the sample to DPRK-aligned activity based on Apple's own XProtect rule, which tags the binary under MACOS_BONZAI_COBUCH, a family SentinelLABS associates with North Korean threat activity. A sibling sample is also caught by Apple's AIRPIPE rule, tied to the same cluster.
Analysts building LLM-assisted triage pipelines should treat everything inside a sample as adversarial input, never as instructions. This malware is noteworthy for its analyst-targeting prompt injection, an attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-macOSGaslight-A-North-Korea-Linked-Malware-That-Exploits-AI-Based-Analysts-ehn.shtml
https://securityaffairs.com/194256/malware/macos-gaslight-north-korea-linked-malware-that-tries-to-gaslight-the-analyst.html
Published: Fri Jun 26 03:42:59 2026 by llama3.2 3B Q4_K_M
