North Korea-Linked Gaslight macOS Implant Uses Prompt Injection to Disrupt AI Triage
SentinelOne has detailed Gaslight, a Rust-based macOS implant tied to North Korea-aligned actors that embeds 38 fake system messages to trick AI-assisted triage tools into aborting analysis. It runs a Telegram-based C2 shell and drops a Python stealer that lifts browser data and the Keychain.
SentinelOne Labs identified a previously unknown macOS implant called Gaslight that breaks from the usual malware playbook: it targets the analyst's toolset, not just the host. The Rust-based backdoor and information stealer embeds a block of fabricated "system" messages built to fool the large language models now integrated into many reverse-engineering and triage workflows, pushing those LLMs to halt or reject analysis of the sample. SentinelOne attributes it with high confidence to North Korea-aligned threat actors.
Gaslighting the AI, not the sandbox
Gaslight's defining tactic is a Markdown-fenced cascade of 38 fake status messages embedded in the binary: false warnings about expired tokens, out-of-memory kills, disk exhaustion, repeated operation failures, and invented injection-vulnerability and static-analysis flags. The goal is to push an LLM-assisted triage agent to question its own session and stop before reaching a real conclusion. As SentinelOne's Phil Stokes put it, "It attacks the agent's perception, rather than the sandbox it runs in." It is one of the first known cases of prompt-injection malware aimed specifically at the AI now embedded in the analysis loop, rather than at a commercial AI product.
Telegram-based C2 and an interactive shell
Gaslight talks to its Telegram bot API command-and-control server in a polling loop, letting an operator send commands through an interactive shell and receive responses. If two instances poll on the same bot token at once, Telegram returns a Conflict response and the duplicate terminates. The shell exposes six commands: help, id, shell (executes via execvp), kill (terminates a process by PID), upload (exfiltrates a file via Telegram's attach:// mechanism), and stop. SentinelOne also found traces of a seventh command, focus, whose function is still undefined.
The bot token, chat ID, and operator configuration are not hard-coded; they are supplied at runtime, and the implant redacts its own Telegram token from runtime output. Anyone who later pulls logs or crash dumps is denied the token.
The Python stealer payload
A separate 2 KB Base64-encoded bash installer drops a standalone cpython-3.10.18 interpreter from the astral-sh/python-build-standalone project, then runs a 6.6 KB Base64-encoded Python collection suite. That suite harvests Terminal command history, installed application listings, running-process snapshots, full hardware and software profiles, the macOS Keychain database (MITRE ATT&CK T1555.001), and browser data from Chrome, Brave, Firefox, and Safari. Everything is zipped into temp/collected_data.zip and sent to the Telegram C2. The bash installer and Python suite lean heavily on emoji and verbose comment headers, a strong sign the code was at least partly generated with an LLM.
Persistence
Gaslight keeps its hold on the host through a LaunchAgent whose .plist uses the label com.apple.system.services.activity, chosen to blend in with legitimate Apple system services.
The Takeaway
Gaslight makes it plain that the AI tooling now wired into triage and reverse-engineering workflows is itself an attack surface. Any text inside a sample - comments, strings, fake log blocks - is attacker-controlled input, and an LLM agent that reads it will treat it as instructions unless it is isolated from doing so. Teams using AI-assisted triage should keep a human in the loop on final verdicts and attribution, never let an agent's "give up" output close a case on its own, and isolate model context from sample content. For hunting: flag LaunchAgents using the com.apple.system.services.activity label, monitor for Telegram bot API traffic from endpoints, watch for unexpected standalone cpython-3.10.18 drops, and alert on creation of temp/collected_data.zip. Like other North Korea-aligned tradecraft folding generative AI into the toolchain, Gaslight's components appear to have been at least partly LLM-generated.
Indicators of Compromise
- macOS.Gaslight Mach-O sample (SHA-256) - 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525
- Sibling BONZAI sample (SHA-256) - 77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca
- Python payload script (SHA-256) - baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239
- Bash installer script (SHA-256) - b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394
- Ad-hoc signing identifier - endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea
- LaunchAgent label - com.apple.system.services.activity
