Gaslight: macOS Malware Tricks AI Analyzers with Prompt Injection

On June 25, 2026, SentinelOne researchers documented Gaslight, a previously unknown Rust-based implant for macOS. The sample embeds a prompt-injection payload designed to deceive AI-assisted analysis tools, inducing them to halt or refuse analysis of the artifact. Attribution was assessed with "high confidence" to North Korea-aligned threat actors. The technique inverts traditional anti-analysis logic: rather than attacking the sandbox, the malware attacks the AI agent's perception.

How the Automated Analyst Deception Works

The core mechanism of Gaslight is a Markdown-fenced block containing 38 fabricated system messages. When an LLM-assisted triage tool processes the sample, these messages simulate session failure conditions: token expiry, out-of-memory kills, disk exhaustion, and injection warnings. The result is that the AI agent "doubts its own session state" and aborts the analysis, according to the source's technical description.

SentinelOne researcher Phil Stokes framed the key distinction: the malware "attacks the perception of the agent, rather than the sandbox in which it operates." This shifts the anti-analysis boundary from the technical-execution layer to the cognitive-perceptual layer. Traditionally, malware attempts to escape the sandbox, detect analysis, or obfuscate its behavior. Gaslight instead exploits the language model's natural input channel, manipulating the automated analyst's construction of operational reality.

The technique does not require zero-day vulnerabilities in language models. The prompt injection exploits normal LLM context-processing behavior: the model processes tokens sequentially and lacks an intrinsic mechanism to distinguish authentic instructions from injected ones, especially when the latter are formatted to resemble legitimate system messages.

Architecture and Exfiltration Chain

Beyond the prompt-injection module, Gaslight implements a 6.6 KB Python information stealer in Base64-encoded format. The script collects: Terminal history, installed applications, running processes, hardware and software profiles, Keychain data, and browser information (Chrome, Brave, Firefox, Safari). Collection occurs via a 2 KB Base64-encoded bash installer that downloads the CPython 3.10.18 interpreter from the "astral-sh/python-build-standalone" project.

Data transfer uses Telegram's "attach://" mechanism with data compressed in ZIP format. The C2 uses the Telegram Bot API in a polling loop: when two instances of the same token operate simultaneously, the platform returns a "Conflict" response. The operator configuration — bot token and chat ID — is supplied at runtime, not hard-coded in the sample. Notably, the token self-redacts in runtime output, denying it to anyone capturing logs or crash artifacts.

Persistence is managed via a LaunchAgent with label "com.apple.system.services.activity." The name choice mimics an Apple system component, reducing visibility during potential manual inspection of processes or startup plists.

Traces of Automated Generation

A distinctive element of the Python stealer is the presence of emojis and extended comment headers, which the source indicates are suggestive of generation via large language model. This suggests part of the codebase was produced with AI assistance, though the dossier does not specify which model or platform was employed.

The use of LLMs in the malware development chain is not novel in itself, but the combination with a prompt-injection module directed against AI analysis tools creates a particular symmetry: the same type of technology is employed both in the weapon's production and in its target. The brief does not document whether the 38 fabricated messages were optimized via jailbreak techniques or represent an initial empirical attempt.

"Its most notable trait is an embedded cascade of fabricated system failure messages, designed to make an LLM-assisted triage agent doubt its own session state"

Why It Matters

The dossier does not specify explicit remediation measures or validated countermeasures for this vector. The source does not describe efficacy testing of the prompt injection against specific commercial tools, limiting confirmation to the payload's intentional design. No detailed infrastructural overlaps linking the sample to previously attributed North Korean threat actor C2 infrastructure emerge in the brief: the attribution is declared but not accompanied by exhaustive technical indicators in the available text.

The initial infection vector is not described, nor are sample hashes (SHA256/MD5) known. The scale of infection, geographic or vertical targets, and existence of related variants remain unknown. The functionality of the seventh "focus" command is detected but undetermined. The brief does not document whether current LLM-assisted analysis pipelines are vulnerable to this specific prompt-injection formulation, nor whether structural filters exist capable of neutralizing the Markdown-fenced block without compromising the analysis itself.

The Shifted Boundary: From Sandbox to Artificial Perception

Gaslight's technique represents an inflection point in the relationship between malware and analysis tools. AI-assisted reverse engineering pipelines increasingly depend on LLMs for initial triage: sample classification, indicator extraction, behavior synthesis. These pipelines integrate the language model into the decision loop, creating a new attack surface where the input context becomes the battlefield.

The implicit trust — that the model processes the artifact as objective data, without the data itself being able to manipulate the processor — is violated here. This is not a matter of model hallucination, but of controlled injection into the perceptual stream. The malware does not lie to the human analyst, nor deceive the sandbox directly: it constructs a fictitious reality for the cognitive intermediary between the two.

The threat intelligence sector must now treat LLM output validation as a security layer, not merely an accuracy layer. The source does not specify which LLM context-sandboxing architectures have been tested or proposed. The absence of operational confirmations in the brief leaves the field open for countermeasure research: isolation of the analysis context, structured output verification, or redundancy with non-AI analysis for suspicious samples.

Information is based on the cited advisory and current as of publication.

Sources

• https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html
• https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
• https://venturebeat.com/security/ai-agent-runtime-security-system-card-audit-comment-and-control-2026
• https://nvd.nist.gov/vuln/detail/CVE-2025-68664
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments

Information is based on the cited source and current as of publication.

Sources

• https://schema.org/FAQPage
• https://schema.org/Question
• https://schema.org/Answer